b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n             Information Technology Management \n \n\n               Letter for the Federal Emergency \n \n\n            Management Agency Component of the \n \n\n            FY2010 DHS Financial Statement Audit \n \n\n\n\n\n\nOIG-11-79                                              May 2011\n\x0c                                                                                Office ofInspector General\n\n                                                                     U.S. Department ofHomeland Security\n                                                                                   Washington, DC 25028\n\n\n\n\n                                                            Homeland\n                                                            Security\n                                       MAY 061011\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the Federal\nEmergency Management Agency (FEMA) component ofthe DRS financial statement audit as of\nSeptember 30,2010. It contains observations and recommendations related to IT internal control\nthat were summarized in the Independent Auditor\'s Report dated November 12,2010 and\npresents the separate restricted distribution report mentioned in that report. The independent\naccounting firm KPMG LLP (KPMG) performed the audit procedures at the FEMA component\nin support ofthe DRS FY 2010 financial statements and prepared this IT management letter.\nKPMG is responsible for the attached IT management letter dated March 22,2011, and the\nconclusions expressed in it. We do not express opinions on DRS\' financial statements or\ninternal control or conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                     Assistant Inspector General\n                                     Information Technology Audits\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036-3389\n\n\n\n\nMarch 22, 2011\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nFederal Emergency Management Agency\n\nLadies and Gentlemen:\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment), as of September 30,2010 and the related statement of custodial activity for the year\nthen ended (herein after referred to as "financial statements"). We were also engaged to examine\nthe Department\'s internal control over financial reporting of the balance sheet as of September 30,\n2010 and the statement of custodial activity for the year then ended. We were not engaged to audit\nthe statements of net cost, changes in net position, and budgetary resources as of September 30,\n2010 (hereinafter referred to as "other fiscal year (FY) 2010 financial statements"), or to examine\ninternal control over financial reporting over the other FY 2010 financial statements.\nBecause of matters discussed in our Independent Auditors\' Report, dated November 12, 2010, the\nscope of our work was not sufficient to enable us to express, and we did not express, an opinion on\nthe financial statements or on the effectiveness ofDHS\' internal control over financial reporting of\nthe balance sheet as of September 30,2010, and the related statement of custodial activity for the\nyear then ended. Additional deficiencies in internal control over financial reporting, potentially\nincluding additional material weaknesses and significant deficiencies, may have been identified and\nreported had we been able to perform all procedures necessary to express an opimon on the\nfinancial statements or on the effectiveness ofDHS\' internal control over financial reporting of the\nbalance sheet as of September 30, 2010, and the related statement of custodial activity for the year\n                                                                                   \xc2\xb0\nthen ended; and had we been engaged to audit the other FY 20 I financial statements, and to\nexamine internal control over financial reporting over the other FY 2010 financial statements.\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent, or detect and\ncorrect misstatements on a timely basis; A significant deficiency is a deficiency, or a combination\nof deficiencies, in internal control that is less severe than a material weakness, yet important enough\nto merit attention by those charged with governance. A material weakness is a deficiency, or a\ncombination of deficiencies, in internal control, such that there is a reasonable possibility that a\nmatenal misstatement of the entity\'s financial statements will not be prevented, or detected and\ncorrected on a timely basis.\nThe Federal Emergency Management Agency (FEMA) is a component ofDHS. During our audit\nengagement, we noted certain matters in the areas of information technology (IT) configuration\nmanagement, security management, access controls, segregation of duties, and contingency\nplanning with respect to FEMA\'s financial systems IT general controls, which we believe\ncollectively contribute to an IT material weakness at the DHS level. These matters are described in\nthe IT General Control Findings and Recommendations section of this letter.\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS\n                             Financial Statement Audit\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                ("KPMG International"), a Swiss entity.\n\x0cThe material weakness described above is presented in our Independent Auditors\' Report, dated\nNovember 12, 2010. This letter represents the separate limited distribution letter mentioned in that\nreport.\nThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through Notices of Finding and Recommendation (NFR).\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or\ndetect and correct misstatements. Also, projections of any evaluation of effectiveness to future\nperiods are subject to the risk that controls may become inadequate because of changes in\nconditions, or that the degree of compliance with the policies or procedures may\'deteriorate. We\naim to use our knowledge ofFEMA gained during our audit engagement to make comments and\nsuggestions that are intended to improve internal control over financial reporting or result in other\noperating efficiencies. We have not considered internal control since the date of our Independent\nAuditors \'Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key FEMA financial systems and IT infrastructure within the scope of our\nengagement to audit the FY 2010 DRS financial statements in Appendix A; a description of each\ninternal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C.\nOur comments related to certain additional matters have been presented in a separate letter to the\nOffice ofInspector General and the FEMA Chief Financial Officer.\n\nFEMA\'s written response to our comments and recommendations, presented in Appendix D, has\nnotbeen subjected to auditing procedures and, accordingly, we express no opinion on it.\n\nThis communication is intended solely for the information and use of DRS and FEMA\nmanagement, DRS Office ofInspector General, U.S. Office of Management and Budget, U.S.\nGovernment Accountability Office, and the U.S. Congress, and is not intended to be and should not\nbe used by anyone other than these specified parties.\n\nVery truly yours,\n\n\n\n\n Information Technology Management Letter for the FEMA Component of the FY 2010 DHS\n \n\n                              Financial Statement Audit\n \n\n\x0c                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n \n\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n                   INFORMATION TECHNOLOGY MANAGEMENT LETTER\n                                    TABLE OF CONTENTS\n                                                                                              Page\nObjective, Scope, and Approach \n                                                                1\n\n\nSummary of Findings and Recommendations                                                         3\n \n\n\nIT General Control Findings and Recommendations                                                 4\n \n\n     Configuration Management                                                                   4\n\n     Security Management                                                                        5\n\n     Access Controls                                                                            8\n\n     Segregation of Duties                                                                      9\n\n     Contingency Planning                                                                       9\n\n\nApplication Controls                                                                           14\n \n\n\nManagement\xe2\x80\x99s Comments and OIG Response \n\n                                                                                               14\n\n\n                                             APPENDICES\n\nAppendix                                       Subject                                        Page\n   A\t \t    Description of Key Federal Emergency Management Agency Financial Systems and \n\n           IT Infrastructure within the Scope of the FY 2010 DHS Financial Statement Audit     15\n \n\n           Engagement \n\n\n   B\t \t    FY 2010 Notices of IT Findings and Recommendations at the Federal Emergency         18\n \n\n           Management Agency\n \n\n           \xef\xbf\xbd\t Notice of Findings and Recommendations \xe2\x80\x93 Definition of \n\n                   Severity Ratings                                                            19\n \n\n\n   C\t \t    Status of Prior Year Notices of Findings and Recommendations and Comparison to \n\n           Current Year Notices of Findings and Recommendations at the Federal Emergency       76\n           Management Agency\n   D\t \t    Management\xe2\x80\x99s Comments \t                                                             78\n \n\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n\n\x0c                              Department of Homeland Security\n \n\n                          Federal Emergency Management Agency \n \n\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n                           OBJECTIVE, SCOPE, AND APPROACH\n\nIn connection with our engagement to audit the Department of Homeland Security\xe2\x80\x99s (DHS or\ndepartment) balance sheet as of September 30, 2010 and the related statement of custodial activity\nfor the year then ended, we performed an evaluation of information technology general controls\n(ITGC) at the Federal Emergency Management Agency (FEMA), to assist in planning and\nperforming our audit. The Federal Information System Controls Audit Manual (FISCAM), issued\nby the Government Accountability Office (GAO), formed the basis of our ITGC evaluation\nprocedures. The scope of the ITGC evaluation is further described in Appendix A.\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of\nthe financial audit. FISCAM also provides guidance to IT auditors when considering the scope and\nextent of review that generally should be performed when evaluating general controls and the IT\nenvironment of a federal agency. FISCAM defines the following five control functions to be\nessential to the effective operation of the general IT controls environment:\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of\n   activity for managing risk, developing security policies, assigning responsibilities, and\n   monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data,\n   programs, equipment, and facilities) and protect against unauthorized modification, loss, and\n   disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to\n   information system resources (software programs and hardware configurations) and provide\n   reasonable assurance that systems are configured and operating securely and as intended.\n\xef\xbf\xbd\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\nTo complement our general IT controls audit procedures, we also performed technical security\ntesting for key network and system devices, as well as testing over certain key financial application\ncontrols in the FEMA environment. The technical security testing was performed from within a\nselect FEMA facility and focused on production devices that directly support FEMA\xe2\x80\x99s financial\nprocessing and key general support systems. Limited social engineering and after-hours physical\nsecurity testing was also included in the scope of technical security testing.\nAdditionally, during FY 2009, we were informed by FEMA management that the Grants &\nTraining (G&T) Integrated Financial Management Information System (IFMIS) and Core IFMIS\nversions would be merged into one system. Between October 1, 2009 and February 22, 2010, G&T\nand Core IFMIS were both operational and used to process FEMA financial data. As a result, we\nperformed testing for both the Core and G&T IFMIS versions.\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                       Page 1 \n \n\n\x0c                              Department of Homeland Security\n \n\n                          Federal Emergency Management Agency \n \n\n                          Information Technology Management Letter\n                                     September 30, 2010\n\nOn February 23, 2010, FEMA suspended the use of the G&T IFMIS version and had completed the\nfinal changes to Core IFMIS which would then become IFMIS-Merger. We were informed that the\nfinal IFMIS-Merger version went live on February 23, 2010 and is now the system of record.\nTherefore, for the purposes of this letter, the audit testwork conducted over general controls and\nweaknesses identified for Core IFMIS are reported as part of controls over IFMIS-Merger.\nIn addition to testing FEMA\xe2\x80\x99s general control environment, we performed application control tests\non a limited number of FEMA\xe2\x80\x99s financial systems and applications, specifically those supporting\nthe National Flood Insurance Program (NFIP). The application control testing was performed to\nassess the controls that support the financial systems\xe2\x80\x99 internal controls over the input, processing,\nand output of financial data and transactions. Application Controls (APC) are the structure,\npolicies, and procedures that apply to separate, individual application systems, such as accounts\npayable, inventory, or payroll.\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                       Page 2 \n \n\n\x0c                              Department of Homeland Security\n \n\n                          Federal Emergency Management Agency \n \n\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring fiscal year (FY) 2010, FEMA took corrective action to address certain prior year IT control\nweaknesses. For example, FEMA made improvements over implementing certain logical and\nphysical access controls over NFIP information systems, as well as development and maintenance\nof the inventory of FEMA Chief Financial Officer (CFO)-designed financial management systems.\nHowever, during FY 2010, we continued to identify ITGC weaknesses that could potentially impact\nFEMA\xe2\x80\x99s financial data. The most significant weaknesses from a financial statement audit\nperspective related to controls over security management, access control, configuration\nmanagement , and contingency planning for the IFMIS-Merger, G&T IFMIS, the National\nEmergency Management Information System (NEMIS), Payment and Reporting System (PARS),\nTraverse, Transaction Record Reporting and Processing (TRRP), and associated General Support\nSystem (GSS) environments, as well as weaknesses over physical security and security awareness.\nCollectively, the ITGC weaknesses limited FEMA\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these weaknesses negatively impacted the internal controls over FEMA\nfinancial reporting and its operation, and we consider them to collectively contribute to a material\nweakness at the DHS level under standards established by the American Institute of Certified Public\nAccountants. In addition, based upon the results of our test work, we noted that FEMA did not fully\ncomply with the requirements of the Federal Financial Management Improvement Act of 1996.\nOf the 63 findings identified during our FY 2010 testing, 50 were repeat findings, either partially or\nin whole from the prior year, and 13 were new IT findings. These findings represent weaknesses in\neach of the five FISCAM key control areas.\nThe majority of findings resulted from the lack of properly designed, detailed, and consistent\nguidance over financial system controls to enforce DHS Sensitive Systems Policy Directive 4300A,\nInformation Technology Security Program, requirements and National Institute of Standards and\nTechnology (NIST) guidance. Specifically, the findings stem from: 1) the lack of formal\ndesignation of financial system security responsibilities, 2) inadequately designed and operating\naccess control policies and procedures relating to the management of access to financial\napplications, databases, and support systems, and supervisor recertification of user access\nprivileges, 3) insufficient logging of system events and monitoring of audit logs, 4) inadequately\ndesigned and operating configuration management policies and procedures, 5) patch, configuration,\nand vulnerability management control deficiencies within the system, 6) financial systems that were\nnot properly certified and accredited and authorized to operate, and 7) the lack of adequately\ndocumented or tested contingency plans. These weaknesses may increase the risk that the\nconfidentiality, integrity, and availability of system controls and FEMA financial data could be\nexploited, thereby compromising the integrity of FEMA financial data used by management and\nreported in the DHS financial statements.\nWhile the recommendations made by us should be considered by FEMA, it is the ultimate\nresponsibility of FEMA management to determine the most appropriate method(s) for addressing\nthe weaknesses identified based on their system capabilities and available resources.\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                       Page 3 \n \n\n\x0c                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n \n\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n            IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\nDuring the FY 2010 DHS financial statement audit engagement, we identified the following\nfinancial system ITGC deficiencies at FEMA that collectively contribute to an IT material weakness\nat the department level. Our findings focused on financial systems controls as testing over IT\nsystem functionality could not be conducted.\n\nConfiguration Management:\n   \xef\xbf\xbd\t Documented and approved procedures that establish formal requirements, processes, and\n      responsibilities for performing regular vulnerability scans of NEMIS, IFMIS-Merger and\n      G&T IFMIS had not been developed and implemented. Additionally, during periodic\n      internal scans, vulnerabilities identified and related corrective actions were not reported and\n      tracked via the Plan Of Action &Milestones (POA&M) process in accordance with DHS\n      policy.\n   \xef\xbf\xbd\t Formal procedures for conducting internal scans of the NFIP Local Area Network (LAN)\n      supporting Traverse were not developed, and scans were not conducted by FEMA or NFIP\n      contractor management. Additionally, a formal process did not exist for the remediation of\n      vulnerabilities identified during internal scans to ensure that the vulnerabilities were tracked\n      and monitored via the POA&M process.\n   \xef\xbf\xbd\t The list of NEMIS servers currently scanned internally by FEMA is incomplete and does\n      not represent the current NEMIS system boundary. Additionally, NEMIS system owners\n      are not receiving listings of all vulnerabilities noted on their system components to ensure\n      corrective action is assigned for tracking and remediation.\n   \xef\xbf\xbd\t The Standard Operating Procedure (SOP) for monitoring sensitive access to NEMIS\n      operating system software was not implemented and did not include all NEMIS operating\n      system servers that were within scope. Additionally, no application or tool was in place to\n      support the audit logging function on the NEMIS servers.\n   \xef\xbf\xbd\t NEMIS configuration management is not adequately and centrally controlled, documented,\n      or managed throughout the lifecycle of the FEMA configuration management process.\n      Additionally, implemented emergency and non-emergency changes to NEMIS system\n      software were not consistently documented, tested, approved, controlled, tracked, and\n      retained on file.\n   \xef\xbf\xbd\t No formalized change management procedures exist for deploying changes to the NEMIS\n      production environment to ensure that the movement of production code for NEMIS is\n      appropriately controlled. Additionally, evidence could not be provided that management\n      had appropriately restricted and controlled access to the NEMIS production application,\n       web, and database servers for the deployment of changes.\n   \xef\xbf\xbd\t G&T IFMIS contracted developers/programmers were granted unrestricted access to the\n      production environment through the \xe2\x80\x9cifmiscm\xe2\x80\x9d account, which was used to deploy changes\n      into production.\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                       Page 4 \n \n\n\x0c                            Department of Homeland Security\n \n\n                        Federal Emergency Management Agency \n \n\n                        Information Technology Management Letter\n                                   September 30, 2010\n\n   \xef\xbf\xbd\t Comprehensive configuration baselines for all relevant network devices such as firewalls,\n      routers, and switches that support in-scope financial systems had not been established.\n      Furthermore, configuration management policies and procedures did not include\n      comprehensive requirements for the frequency, documentation and performance of\n      monitoring audits for these baselines to ensure that configuration items (CIs) within the\n      scope of the IFMIS-Merger and NEMIS systems are documented and monitored in\n      accordance with FEMA policy.\n   \xef\xbf\xbd\t Adequate segregation of duties controls had not been established for the movement of\n      IFMIS-Merger changes into production as the IFMIS-Merger developer migrates changes\n      into production. Additionally, formal procedures were not implemented to require\n      monitoring of developers\xe2\x80\x99 changes to IFMIS-Merger directories and sub-directories to\n      review and validate implemented changes. Furthermore, informal reviews of developer\n      activities that were conducted did not provide enough information to ensure that the\n      approved changes were implemented.\n   \xef\xbf\xbd\t Throughout the lifecycle of the project to merge G&T IFMIS and Core IFMIS to IFMIS-\n      Merger, FEMA management did not adequately define, implement, and integrate the\n      required elements of the DHS System Engineering Life Cycle (SELC) process. We noted\n      that the project lacked defined project review stages and approvals, system security\n      requirements and milestones were not documented and integrated into the project plan, and\n      a Data Migration Plan and Testing Strategy could not be provided.\n   \xef\xbf\xbd\t The configuration management plans for IFMIS-Merger, Traverse, and TRRP did not\n      comprehensively provide guidance to address all configuration management control\n      elements required by FEMA and DHS policy for standard and emergency changes.\n   \xef\xbf\xbd\t TRRP changes were not approved prior to development and implementation into \n \n\n      production.\n \n\n   \xef\xbf\xbd\t Formal patch management procedures for approving, testing, and ensuring timely\n      installation of operating system patches for NEMIS, IFMIS-Merger, and G&T IFMIS were\n      not developed and finalized until April 2010. Additionally, FEMA had not fully and\n      consistently implemented the requirements and procedures documented.\n   \xef\xbf\xbd\t Documented change management procedures did not include requirements for approving,\n      testing, and ensuring timely installation of operating system patches for the NFIP LAN\n      supporting Traverse.\n   \xef\xbf\xbd\t The third-party development vendor was allowed use of NFIP system administrator\n      accounts to logon and create sessions for installing Traverse system changes, and a formal\n      process was not established for monitoring changes made by the vendor.\n\nSecurity Management:\n   \xef\xbf\xbd\t Policies and procedures requiring the completion and tracking of specialized training for\n      FEMA employees and contractors with significant information security responsibilities had\n      not been established or implemented as required by DHS policy. Additionally, with the\n      exception of Information System Security Officers (ISSOs), FEMA had not formally\n      identified all individuals or positions that were subject to the training requirements.\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                       Page 5 \n \n\n\x0c                            Department of Homeland Security\n                        Federal Emergency Management Agency\n                        Information Technology Management Letter\n                                   September 30, 2010\n\n   \xef\xbf\xbd\t G&T IFMIS was not certified and accredited prior to implementation into the production\n      environment in FY 2007 and had been operating without an Authorization to Operate\n      (ATO) for the majority of FY 2010.\n   \xef\xbf\xbd\t Web and application servers for PARS had not been certified and accredited, and the PARS\n      database operated for the majority of FY 2010 without an adequate ATO.\n   \xef\xbf\xbd\t ISSOs were not formally designated for G&T IFMIS and PARS for the majority of the\n      fiscal year.\n   \xef\xbf\xbd\t Certification and accreditation (C&A) activities for IFMIS-Merger and NEMIS were not\n      completed in accordance with DHS and NIST requirements.\n   \xef\xbf\xbd\t The FEMA Switch Network (FSN)-2 C&A package was not completed in compliance with\n      DHS and NIST requirements and had not been updated to reflect the current operating\n      environment. Additionally, the ATO expired in January 2010 and was not renewed. As a\n      result, the FSN-2 GSS was operating without a valid ATO.\n   \xef\xbf\xbd\t Although the FSN-2 C&A package references various subsystems supporting and hosting\n      IFMIS and NEMIS, FEMA management was unable to identify and confirm the FSN-2\n      subsystems (including regional LANs) that host all the production servers for NEMIS and\n      IFMIS applications.\n   \xef\xbf\xbd\t The system security plan (SSP) for NEMIS did not fully document the systems boundaries,\n      define all subsystems and major applications, or document the assignment of FEMA\n      personnel with security responsibilities for all system components.\n   \xef\xbf\xbd\t The C&A for the legacy NFIP IT system pertaining to the Traverse application, TRRP\n      application, and NFIP LAN had not been certified and accredited or fully authorized for\n      operation, in accordance with DHS policy for FY 2010.\n   \xef\xbf\xbd\t Procedures for managing FEMA IT security incidents were not developed, approved, and\n      implemented, in accordance with DHS policy.\n   \xef\xbf\xbd\t Entity-level corrective actions to integrate and develop sufficient and effective methods of\n      communication to ensure that significant financial-related system development and\n      acquisition projects involve all relevant stakeholders, including the Office of the Chief\n      Financial Officer (OCFO), had not been established. Additionally, FEMA management had\n      not taken action to enhance and further develop current acquisition management processes\n      to ensure that organization-specific requirements exist and are implemented so that each\n      project meets organizational mission needs and functional and technical requirements as\n      required by DHS and NIST guidance.\n   \xef\xbf\xbd\t IT security management responsibilities were not consistently or adequately assigned and\n      performed over the FEMA POA&M process for FY 2009 IT audit findings, in accordance\n      with DHS guidance.\n   \xef\xbf\xbd\t Suitability investigations for FEMA federal employees and contractors were not\n      appropriately conducted, and position sensitivity levels associated with employees and\n      contractors with elevated system privileges did not have appropriate position sensitivity\n      designations. Additionally, formal procedures were not developed or implemented for\n      conducting suitability screenings for contractors accessing DHS IT systems.\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                                   Financial Statement Audit \n \n\n                                             Page 6 \n \n\n\x0c                                Department of Homeland Security\n \n\n                            Federal Emergency Management Agency \n \n\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n    \xef\xbf\xbd\t FEMA did not have a process for centrally tracking the status of contractors or an effective\n       and formal process for notifying the Office of the Chief Information Officer (OCIO) of\n       changes in contractor status so that contractor user accounts could be appropriately\n       disabled, removed, or modified in a timely manner.\nRelated to security management, we performed after-hours physical security testing to identify risks\nrelated to non-technical aspects of IT security. These non-technical IT security aspects included\nphysical access to media and equipment that housed financial data and information residing on a\nFEMA employee\xe2\x80\x99s / contractor\xe2\x80\x99s desk which could be used by others to gain unauthorized access to\nsystems housing financial information. The specific results are listed below:\n\n                                              FEMA Locations Tested                      Total\n                                    Washington                                       Exceptions by\n       Exceptions Noted            Design Center Patriots Plaza   TechWorld              Type\n  Passwords                              5             3              3                   11\n  For Official Use Only\n                                        0                1                0                    1\n  (FOUO)\n  Keys                                  0                0                0                    0\n  Personally Identifiable\n                                        3                2                3                    8\n  Information (PII)\n  External Drives                       0                0                1                    1\n  Server Names/ IP Addresses            2                2                0                    4\n  Credit Card Numbers                   0                1                1                    2\n  Classified Documents                  0                0                0                    0\n  Other                                 1                2                3                    6\n\n  Total by Location                     11              11                11               33\n\n\nTo complement FY 2010 security management audit procedures, social engineering testing was\nconducted. Social engineering is defined as the act of attempting to manipulate or deceive\nindividuals into taking action that is inconsistent with DHS policies, such as divulging sensitive\ninformation or allowing / enabling computer system access. The term typically applies to trickery\nor deception for the purpose of information gathering or gaining computer system access. During\nthe social engineering testing, several personnel provided us with user IDs and/or passwords. The\nspecific results of our testing are documented in the table below:\n\n                                                               # of Personnel       # of Personnel\n                                      # of Personnel Who\n   Testing     Total      Total                                Who Provided        Who Provided\n                                      Provided Their User\n    Date       Called    Answered                              Their User ID       Their Password\n                                       ID and Password\n                                                                    Only                 Only\n 07/08/2010      25           11               2                      4                    0\n\n 08/11/2010      34           11               1                      8                    1\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n \n\n                             Financial Statement Audit \n \n\n                                       Page 7 \n \n\n\x0c                            Department of Homeland Security\n \n\n                        Federal Emergency Management Agency \n \n\n                        Information Technology Management Letter \n \n\n                                   September 30, 2010\n\nAccess controls:\n   \xef\xbf\xbd\t Password, security patch management, and configuration deficiencies were identified\n      during the vulnerability assessment on hosts supporting the key financial applications and\n      general support systems.\n   \xef\xbf\xbd\t TRRP, IFMIS-Merger, G&T IFMIS, NEMIS, and PARS application and/or database\n      accounts, network accounts, and remote user accounts were not periodically reviewed for\n      appropriateness and/or were not fully and accurately recertified in accordance with FEMA\n      and DHS policy, resulting in inappropriate authorizations and excessive user access\n      privileges. For G&T IFMIS, we determined that recertification of user accounts had not\n      been conducted since the application was implemented at FEMA in FY 2007.\n   \xef\xbf\xbd\t IFMIS-Merger, G&T IFMIS, and NEMIS application accounts, network accounts, and\n      remote user accounts were not disabled or removed promptly upon personnel termination.\n   \xef\xbf\xbd\t Initial and modified access granted to IFMIS-Merger, G&T IFMIS and PARS financial\n      application and/or database, network, and remote users was not properly documented and\n      authorized.\n   \xef\xbf\xbd\t Documented procedures for auditing NEMIS, IFMIS-Merger, G&T IFMIS, and PARS\n      databases were not comprehensive and did not meet DHS requirements. Additionally, for\n      these financial systems and the NFIP LAN and TRRP, logging of operating system,\n      application, and/or database events required to be recorded were not enabled for some or all\n      of the events, audit logs were not appropriately reviewed and/or were reviewed by those\n      with conflicting roles, and evidence of audit log reviews was not retained.\n   \xef\xbf\xbd\t Strong password requirements were not enforced on the NEMIS, IFMIS-Merger, G&T\n      IFMIS, and PARS databases and the FEMA LAN.\n   \xef\xbf\xbd\t FEMA\xe2\x80\x99s process for authorizing and managing remote virtual private network (VPN)\n      access to external state emergency management agencies and FEMA contractors did not\n      comply with DHS and FEMA requirements. Specifically, existing documentation did not\n      define the requirements for administering the site survey process with external\n      organizations seeking VPN access or identify FEMA roles and responsibilities for\n      managing VPN access granted to external individuals using non-DHS equipment to access\n      the FEMA network.\n   \xef\xbf\xbd\t A formalized process for modifying IFMIS-Merger system security functions to ensure that\n      appropriate privileges are created, documented, approved, and monitored did not exist.\n   \xef\xbf\xbd\t Two-factor authentication was not used for VPN access, as required by DHS policy.\n   \xef\xbf\xbd\t System administrator root access to IFMIS-Merger and G&T IFMIS were not properly\n      restricted, logged, and monitored.\n   \xef\xbf\xbd\t Emergency and temporary access to the IFMIS-Merger and G&T IFMIS databases was not\n      properly authorized, and contractor development personnel were granted conflicting access\n      to implement database changes.\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                       Page 8 \n \n\n\x0c                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n \n\n                         Information Technology Management Letter \n \n\n                                    September 30, 2010\n\nSegregation of Duties:\n   \xef\xbf\xbd\t Access was inappropriately granted to NEMIS developers to allow unrestricted access to\n      both the production and development code in the Test and Development Laboratory (TDL)\n      environment, and NEMIS code approved for implementation was not locked down within\n      the TDL environment prior to deployment to production to further restrict developer access.\n   \xef\xbf\xbd\t Additional segregation of duties weaknesses were noted in other FISCAM areas.\n      Specifically, weaknesses in those areas pertain to access controls over audit log reviews and\n      configuration management controls for migrating code into production. See those\n      respective sections for additional information.\nContingency Planning:\n   \xef\xbf\xbd\t An alternate processing site for NEMIS was not established and implemented.\n      Additionally, an exception to DHS policy for the lack of an established alternate processing\n      site, as required for systems such as NEMIS that are categorized as \xe2\x80\x9chigh impact\xe2\x80\x9d for\n      availability, had not been requested by FEMA.\n   \xef\xbf\xbd\t Documented procedures that outline processes for performing backups of NEMIS\n      production databases and for rotating and physically securing backup tapes off-site had not\n      been formally defined. Additionally, evidence that all databases were being backed up\n      could not be provided.\n   \xef\xbf\xbd\t NEMIS backup tapes were not regularly tested in accordance with FEMA and DHS policy.\n   \xef\xbf\xbd\t Full scale testing of the NEMIS contingency plan was not conducted, and the plan did not\n      adequately and comprehensively include information for fully restoring NEMIS in\n      accordance with requirements for high impact availability systems or accurately include\n      NEMIS system architecture information.\n   \xef\xbf\xbd\t The existing NFIP LAN and Traverse contingency plan was not updated and in compliance\n      with DHS and NIST requirements. Additionally, the plan had not been tested within the\n      past 12 months, and no alternate processing site had been identified.\n   \xef\xbf\xbd\t A documented and approved IT contingency plan for the mainframe environment\n      supporting the TRRP system has not been completed, and contingency testing over TRRP\n      was not sufficiently conducted in accordance with DHS and NIST requirements.\n   \xef\xbf\xbd\t The NFIP contractor\xe2\x80\x99s Continuity of Operations Planning (COOP) for Traverse and TRRP\n      could not be provided for auditor review.\n\nRecommendations:\nNo recommendations are required for the G&T IFMIS portions of the conditions noted above as the\nsystem was decommissioned in June 2010. We recommend that the FEMA Chief Information\nOfficer (CIO) and Chief Financial Officer (CFO), in coordination with the DHS OCFO and the\nDHS OCIO, make the following improvements to FEMA\xe2\x80\x99s financial management systems and\nassociated information technology security program.\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                       Page 9 \n \n\n\x0c                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n \n\n                         Information Technology Management Letter \n \n\n                                    September 30, 2010\n\nFor Configuration Management:\n   \xef\xbf\xbd\t Develop, finalize, and implement formal procedures over NEMIS and IFMIS-Merger\n      operating systems and the NFIP LAN supporting Traverse for: (1) conducting periodic\n      internal vulnerability scans of FEMA and NFIP financial systems; (2) assessing, reporting,\n      tracking, and monitoring correcting vulnerabilities identified during internal scans; and (3)\n      ensuring procedures are implemented for all components of the systems;\n   \xef\xbf\xbd\t Revise, implement, and ensure adherence to the SOP for monitoring sensitive access to\n      NEMIS operating system software to ensure that the scope of the procedures includes all\n      defined NEMIS servers, and deploy the appropriate tool(s) to support audit logging\n      functions on the NEMIS servers, in accordance with FEMA and DHS policy;\n   \xef\xbf\xbd\t Develop and implement configuration management policies and procedures for NEMIS\n      emergency and non-emergency changes to financial systems application software, and\n      ensure consistent adherence with requirements for approving, testing, documenting,\n      properly controlling and tracking changes, and retaining related documentation;\n   \xef\xbf\xbd\t Document and implement a formalized process and procedures for deploying NEMIS \n\n      changes to ensure that the movement of production code for the NEMIS production \n\n      environment is appropriately controlled; \n\n   \xef\xbf\xbd\t Revise and implement configuration management policies and procedures over\n      documenting and maintaining current baseline configurations for network devices\n      supporting financial applications, including IFMIS-Merger and NEMIS, to ensure DHS and\n      FEMA requirements are adequately addressed and configuration baselines are\n      comprehensively documented by FEMA. Additionally, policies and procedures should\n      include guidance over requirements such as roles and responsibilities, documentation of\n      baselines, periodic review and auditing, and approval of baseline changes for network\n      devices;\n   \xef\xbf\xbd\t Limit IFMIS-Merger developer access to the production environment to \xe2\x80\x9cread only,\xe2\x80\x9d and\n      segregate the responsibility for deploying application code changes into production from\n      the development contractor to an independent control group. If business needs require that\n      the segregation of duties cannot be immediately implemented, develop and implement\n      formal procedures for conducting periodic reviews of IFMIS-Merger developer changes to\n      financial application directories and sub-directories to verify that only authorized changes\n      are implemented into production and for retaining evidence of reviews conducted on file;\n   \xef\xbf\xbd\t Conduct and document a lessons learned report related to the IFMIS-Merger project per\n      DHS SELC guidance;\n   \xef\xbf\xbd\t Update the current versions of IFMIS-Merger, Traverse, and TRRP configuration\n      management plans and procedures to comprehensively address DHS and FEMA\n      requirements. Additionally, ensure the implementation of updated versions of the current\n      IFMIS-Merger, Traverse, and TRRP configuration management procedures. The\n      procedures should require initial approvals of change requests and establish a process for\n      obtaining Change Control Board and Technical Review Committee approvals prior to\n      implementing standard and emergency changes into production;\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                      Page 10 \n \n\n\x0c                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n \n\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n   \xef\xbf\xbd\t Dedicate the appropriate resources to complete efforts to further document and fully\n      implement comprehensive patch management policies and procedures for NEMIS and\n      IFMIS-Merger;\n   \xef\xbf\xbd\t Document, finalize, and implement comprehensive patch management policies and\n      procedures that outline requirements for authorizing, testing, and installing required patches\n      for the NFIP LAN operating system supporting Traverse; and\n\n   \xef\xbf\xbd\t Limit Traverse development vendor access to the production environment to \xe2\x80\x9cread only,\xe2\x80\x9d\n      and segregate the responsibility for deploying application code changes into production\n      from the development contractor to an independent control group. If business needs require\n      that the segregation of duties cannot be immediately implemented, establish a separate\n      account for use by the NFIP third-party development vendor when implementing Traverse\n      changes that is limited to activation on an as-needed basis, and establish a process for\n      monitoring and verifying that configuration changes by the vendor are implemented and\n      documented in accordance with policy.\nFor Security Management:\n   \xef\xbf\xbd\t Develop and implement policies and procedures requiring initial and periodic specialized\n      training for individuals with significant information security responsibilities. Policies and\n      procedures should identify specific roles and positions possessing significant information\n      security responsibilities that are subject to specialized training requirements and include\n      requirements for tracking training;\n   \xef\xbf\xbd\t Certify and accredit all components of PARS in accordance with applicable DHS policies\n      and Federal guidance, and formally designate an ISSO for all components of the system;\n   \xef\xbf\xbd\t Update and complete all required C&A artifacts for NEMIS, IFMIS-Merger, Traverse,\n      TRRP, the NFIP LAN and FSN-2 in accordance with DHS policy and NIST guidance.\n      Additionally, ensure that C&A artifacts, including the risk assessment or the results of the\n      required risk assessment activities, the Security Testing and Evaluation (ST&E), and the\n      Security Assessment Report (SAR) are conducted and documented over all components of\n      the systems in accordance with established DHS baseline controls according to the security\n      categorization of the system;\n   \xef\xbf\xbd\t Ensure that the NEMIS SSP is updated in accordance with DHS policy so that the system\xe2\x80\x99s\n      boundaries, components, and roles and responsibilities are properly defined and\n      documented. Additionally, implement a formal process for periodically reviewing and\n      assessing system documentation to ensure software and hardware components are\n      accurately reflected;\n   \xef\xbf\xbd\t Develop and implement approved procedures for managing security incidents that clearly\n      outline roles and responsibilities required to maintain a continuous incident response\n      capability, and provide training to all personnel with assigned roles and responsibilities;\n   \xef\xbf\xbd\t Define and implement formal and repeatable processes to ensure that financial systems\n      development and acquisition projects are conducted in compliance with DHS SELC and\n      acquisition requirements and Federal guidance;\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                      Page 11 \n \n\n\x0c                            Department of Homeland Security\n \n\n                        Federal Emergency Management Agency \n \n\n                        Information Technology Management Letter\n                                   September 30, 2010\n\n   \xef\xbf\xbd\t Establish and document a formalized process to provide IT security management oversight\n      to ensure that adequate periodic review and assessment of security controls are performed\n      and corrective actions are appropriately assigned and implemented over identified security\n      weaknesses through the POA&M process;\n   \xef\xbf\xbd\t Further refine processes to ensure that background investigations for all types of federal\n      employees and contractors are performed, and reevaluate and assign the correct position\n      sensitivity levels for federal employees and contractors with access to DHS information\n      systems. FEMA Acquisitions, FEMA Personnel Security, and FEMA IT should also work\n      together to implement procedures to ensure a more centralized and coordinated process for\n      tracking and completing background investigations over contractor personnel, in\n      accordance with DHS policy;\n   \xef\xbf\xbd\t Document and implement procedures for tracking contractor on-boards, transfers, and\n      separations that include assignment of roles and responsibilities to appropriate FEMA\n      management and stakeholders and steps for notifying the OCIO and system owners of\n      changes in contractor status that require changes to user access; and\n   \xef\xbf\xbd\t Review the effectiveness of existing security awareness programs designed to protect\n      \xe2\x80\x9cneed-to-know\xe2\x80\x9d information, including IT system access credentials, electronic and\n      physical data, PII, and FOUO agency information, and ensure that individuals are\n      adequately instructed and reminded of their roles in the protection of sensitive system\n      information from unauthorized individuals through formal, periodic communications and/or\n      security awareness training.\nFor Access Controls:\n   \xef\xbf\xbd\t Implement the specific vendor-recommended corrective actions detailed in the Notice of\n      Finding and Recommendation (NFR) that was issued for deficiencies identified during our\n      vulnerability assessment;\n   \xef\xbf\xbd\t Fully establish and/or implement user account management recertification processes and\n      require completion of periodic reviews of all user accounts for appropriate access and\n      documentation of current user profiles on IFMIS-Merger, NEMIS, TRRP, and PARS as\n      well as the FEMA/NFIP networks and remote user accounts. The processes should include\n      revocation of accounts that cannot be verified during recertification processes;\n   \xef\xbf\xbd\t Update, as necessary, and consistently implement procedures and processes to ensure that\n      all system accounts, including remote access accounts, of terminated employees and\n      contractors are immediately removed/disabled upon their departure;\n   \xef\xbf\xbd\t Review and revise existing procedures to require documented authorization of new and\n      modified user accounts by supervisors, program managers, and contracting officers\xe2\x80\x99\n      technical representatives in accordance with DHS requirements;\n   \xef\xbf\xbd\t Revise and implement detailed procedures requiring the consistent and timely review of\n      IFMIS-Merger, NEMIS, and PARS database and financial application logs and the\n      maintenance of documentation supporting such reviews in accordance with DHS\n      requirement. These procedures should also incorporate segregation of duties principles;\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                      Page 12 \n \n\n\x0c                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n \n\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n   \xef\xbf\xbd\t Configure audit logs for financial databases and applications to ensure that auditable events,\n      as required by DHS policy, are recorded and appropriately reviewed by personnel without\n      conflicting duties, and sufficient evidence is retained;\n   \xef\xbf\xbd\t Configure NEMIS, IFMIS-Merger, and PARS databases and FEMA LAN accounts to\n      enforce strong password and authenticator control requirements, and ensure that individuals\n      with system/database administration and security responsibilities are aware of and properly\n      trained in DHS, FEMA, and Federal requirements;\n   \xef\xbf\xbd\t Revise and implement policies and procedures for documenting, reviewing, and approving\n      the security controls in place over non-DHS equipment connecting to the FEMA network\n      via VPN access, and ensure that roles, responsibilities, and security requirements for\n      authorizing and managing VPN access for external organizations connecting to the FEMA\n      network are defined and implemented in accordance with DHS and FEMA policy;\n   \xef\xbf\xbd\t Develop and implement policies and procedures that document the process of adding,\n      deleting, and modifying IFMIS-Merger security functions to ensure that the proper controls\n      are in place for modifying user account privileges. Additionally, ensure that the use of\n      function modification privileges is monitored;\n   \xef\xbf\xbd\t Implement and require two-factor authentication for all remote access to the FEMA \n\n      network;\n\n   \xef\xbf\xbd\t Develop and implement procedures for monitoring IFMIS system administrator and highly-\n      privileged account activities and restricting access to the root account, and ensure that\n      reviews of system logs and records are properly conducted; and\n   \xef\xbf\xbd\t Establish a formal process for granting IFMIS-Merger emergency and temporary database\n      access that includes segregation of duties considerations and appropriate approval from\n      FEMA management as required by DHS policy.\nFor Segregation of Duties:\n   \xef\xbf\xbd\t Develop and implement formal processes and procedures for restricting and monitoring\n      access to the NEMIS TDL directories to ensure that the principles of least privilege and\n      segregation of duties are enforced. The processes should include requirements over the\n      monitoring of NEMIS TDL directories to ensure that no changes have occurred after the\n      approval of NEMIS system changes has occurred and should limit developers\xe2\x80\x99 access to the\n      approved code for production to \xe2\x80\x9cread only.\xe2\x80\x9d\nFor Contingency Planning:\n   \xef\xbf\xbd\t Complete on-going efforts to establish and implement an alternate processing site for\n      NEMIS;\n   \xef\xbf\xbd\t Ensure that a formal process is established and implemented to fully backup all necessary\n      components of the NEMIS database and periodically test NEMIS backup media at a\n      frequency that is in accordance with FEMA and DHS policy;\n   \xef\xbf\xbd\t Update the NEMIS contingency plan in accordance with DHS requirements for high impact\n      availability systems, inclusive of accurate system architecture information; conduct\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                      Page 13 \n \n\n\x0c                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n \n\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n        documented annual tests of the plan; and as necessary, update the plan with lessons learned\n        from testing;\n    \xef\xbf\xbd\t Update and appropriately test the NFIP contingency plan pertaining to the NFIP LAN and\n       Traverse system, in accordance with DHS requirements; identify alternate processing sites\n       for each system; and test fail-over capability at the alternate processing site;\n    \xef\xbf\xbd\t Develop, document, and fully implement an IT contingency plan for TRRP in accordance\n       with DHS requirements; conduct documented annual tests of the plan; and as necessary,\n       update the plan with lessons learned from testing; and\n    \xef\xbf\xbd\t Document, implement, and maintain the NFIP COOP to ensure required elements for\n       Traverse and TRRP are included in accordance with DHS guidance for high impact\n       systems.\n\n                                 APPLICATION CONTROLS\nWe concluded that application controls over NEMIS, IFMIS-Merger, G&T IFMIS, and PARS could\nnot be relied upon for purposes of our FY 2010 audit procedures because of the nature of the\ngeneral IT control deficiencies identified and discussed above. As a result, we did not test\napplication controls for these financial systems. However, we conducted certain application control\ntesting over key financial systems supporting NFIP. Based on the testwork conducted, we did not\nidentify any findings in the area of application controls related to NFIP during the FY 2010 DHS\nfinancial statement audit engagement.\n\n\n                  MANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\nWe received written comments on a draft of this report from FEMA\xe2\x80\x99s Chief Information Officer.\nGenerally, FEMA agreed with our findings and recommendations. FEMA\xe2\x80\x99s management has\ndeveloped a remediation plan to address these findings and recommendations. A copy of the\ncomments is included in Appendix D.\n\nOIG Response\nWe agree with the steps that FEMA\xe2\x80\x99s management is taking to satisfy these recommendations.\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n \n\n                             Financial Statement Audit \n \n\n                                      Page 14 \n \n\n\x0c                                                                       Appendix A\n                         Department of Homeland Security\n\n                     Federal Emergency Management Agency \n\n                     Information Technology Management Letter \n\n                                September 30, 2010\n\n\n\n\n                                 Appendix A \n \n\n\n\n Description of Key Federal Emergency Management Agency \n \n\nFinancial Systems and IT Infrastructure within the Scope of the \n \n\n    FY 2010 DHS Financial Statement Audit Engagement \n \n\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                      Page 15 \n \n\n\x0c                                                                                         Appendix A\n                              Department of Homeland Security\n                          Federal Emergency Management Agency\n                          Information Technology Management Letter\n                                     September 30, 2010\n\nBelow is a description of significant FEMA financial management systems and supporting IT\ninfrastructure included in the scope of the DHS FY 2010 financial statement audit engagement.\n\n\nLocations of Testing FEMA Headquarters in Washington, D.C.; the Mount Weather Emergency\nOperations Center in Bluemont, Virginia; IT operations in Winchester, Virginia; NFIP in Crystal\nCity, Virginia; and the NFIP contractor location in Lanham, Maryland (which was later moved in\nAugust 2010 to Landover, Maryland).\n\nSystems Subject to Audit:\n\nCore Integrated Financial Management Information System (IFMIS) 1 (Operational through\nFebruary 22, 2010) Core IFMIS was the key financial reporting system and had several feeder\nsubsystems (budget, procurement, accounting, and other administrative processes and reporting).\nThe application was a Commercial Off-The Shelf (COTS) software package developed and\nmaintained by Digital Systems Group Incorporated (DSG).\n\nGrants and Training (G&T) IFMIS 2 (Operational through February 22, 2010) In April 2007, the\nOffice of G&T that was previously under the Department of Justice was transferred to FEMA. Due\nto the short amount of time given to FEMA to take over the financial management role for G&T in\nFY 2007, a separate instance of IFMIS was inherited from the Department of Justice, resulting in\ntwo separate IFMIS instances at FEMA. G&T IFMIS held all former G&T financial information.\nThe application was a COTS software package developed and maintained by DSG.\n\nIFMIS-Merger 3 (Operational beginning February 23, 2010) IFMIS-Merger is the official\naccounting system of FEMA and maintains all financial data for internal and external reporting.\nIFMIS-Merger is comprised of five subsystems: Funding, Cost Posting, Disbursements, Accounts\nReceivable, and General Ledger. The application is a COTS software package developed and\nmaintained by DSG.\n\n\n\n\n1\n  During FY 2009, FEMA management reported that the G&T IFMIS and Core IFMIS versions would be\nmerged into one system. Between October 1, 2009 and February 22, 2010, G&T and Core IFMIS were both\noperational and used to process FEMA financial data. On February 23, 2010, FEMA suspended the use of the\nG&T IFMIS version and had completed the final changes to Core IFMIS which would then become IFMIS-\nMerger. The final IFMIS-Merger version went live on February 23, 2010 and is now the system of record.\n2\n  G&T IFMIS was decommissioned in June 2010 after the merger of G&T IFMIS and Core IFMIS in\nFebruary 2010.\n3\n  On February 23, 2010, the final IFMIS-Merger version went live on February 23, 2010 and is now the\nsystem of record.\n    Information Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                                 Financial Statement Audit \n \n\n                                          Page 16 \n \n\n\x0c                                                                                          Appendix A\n                                 Department of Homeland Security\n                             Federal Emergency Management Agency\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n\nPayment and Reporting System (PARS)\n PARS is a standalone web-based application. The PARS database resides on the IFMIS-Merger\nUNIX server 4 . Through its web interface, PARS collects Standard Form 425 (SF-425) information\nfrom grantees and stores the information in its Oracle 9i database. Automated chronologic jobs are\nrun daily to update and interface grant and obligation information between PARS and IFMIS-\nMerger. All payments to grantees are made through IFMIS-Merger. Prior to the IFMIS-Merger\ninstance in February 2010, the PARS application interfaced with G&T IFMIS.\n\nNational Emergency Management Information System (NEMIS)\n \n\nNEMIS is a FEMA-wide system of hardware, software, telecommunications, services, and \n \n\napplications. NEMIS consists of many integrated subsystems distributed over hundreds of \n \n\nseparate servers accessed by thousands of client workstations.\n \n\nNEMIS is an integrated system to provide FEMA, the states, and other federal agencies with\nautomation to perform disaster related operations. NEMIS supports all phases of emergency\nmanagement and provides financial related data to IFMIS via an automated interface.\n\nTraverse\nTraverse is the general ledger application currently used by the NFIP Bureau and Statistical Agent\nto generate the NFIP financial statements. Traverse is a client-server application that runs on the\nNFIP LAN Windows server environment in Landover, Maryland (previously Lanham, Maryland).\nThe Traverse client is installed on the desktop computers of the NFIP Bureau of Financial Statistical\nControl group members.\n\nTransaction Recording and Reporting Processing (TRRP)\nThe TRRP application acts as a central repository of all data submitted by the Write Your Own\n(WYO) companies for the NFIP. TRRP also supports the WYO program, primarily by ensuring the\nquality of financial data submitted by the WYO companies to TRRP. TRRP is a mainframe-based\napplication that runs on the NFIP mainframe logical partition in Norwich, Connecticut.\n\n\n\n\n4\n    Prior to the merger of Core IFMIS and G&T IFMIS, PARS resided on the Core IFMIS server.\n    Information Technology Management Letter for the FEMA Component of the FY 2010 DHS \n \n\n                                 Financial Statement Audit \n \n\n                                          Page 17 \n \n\n\x0c                                                                        Appendix B\n                         Department of Homeland Security\n \n\n                     Federal Emergency Management Agency \n \n\n                     Information Technology Management Letter \n \n\n                                September 30, 2010\n\n\n\n\n                                 Appendix B \n \n\n FY 2010 Notices of IT Findings and Recommendations at the \n \n\n         Federal Emergency Management Agency \n \n\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n\n                             Financial Statement Audit \n \n\n                                      Page 18 \n \n\n\x0c                                                                                      Appendix B\n                              Department of Homeland Security\n                          Federal Emergency Management Agency\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on\nthe DHS Consolidated Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial \n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of\nseverity for consolidated reporting purposes.\n\nThese ratings are provided only to assist FEMA in the development of its corrective action plans for\nremediation of each deficiency.\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS \n \n\n                             Financial Statement Audit \n \n\n                                      Page 19 \n \n\n\x0c                                                                                                                                                     Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter\n                                                                 September 30, 2010\n\n                                                 Notice of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                                                                                                       New     Repeat    Risk\nNFR No.                             Condition                                                Recommendation\n                                                                                                                                       Issue    Issue   Rating\nFEMA-IT\xc2\xad    During FY 2010, FEMA finalized and documented                   \xef\xbf\xbd   Complete the initial recertification of all existing             X        3\n  10-01     requirements, and initiated automated technical processes           NACS accounts and related positions initiated in\n            and controls related to the NEMIS Access Control System             April 2010 to ensure that all active NEMIS\n            (NACS) Position Re-Approval Project (NPRP).                         accounts and their associated privileges are\n            Specifically, Enterprise Operations Branch personnel have           appropriately authorized; and\n            begun systematically expiring position assignments and\n            requiring supervisor reauthorization of a subset of NACS        \xef\xbf\xbd   Ensure that all NACS accounts and related\n            accounts and related positions progressively over a 180             positions are recertified by the user\xe2\x80\x99s appropriate\n            day period. Due to the volume of active positions, FEMA             supervisor no less than annually, in accordance\n            management stated that the recertification process will             with DHS policy.\n            recertify all NACS positions after the 180 days and is\n            anticipated to be completed in FY 2011.\n            Thus, while we noted that improvements were made by\n            developing and implementing an automated process for\n            recertifying all NACS accounts and related positions,\n            including those related to NEMIS access, initial\n            recertification to review and revalidate all NACS accounts\n            and positions has still not been completed.\nFEMA-IT\xc2\xad    FEMA has not established an alternate processing site for       \xef\xbf\xbd   Continue and complete efforts required to                        X        3\n  10-02     NEMIS. Additionally, an exception to DHS policy for the             establish and implement an alternate processing\n            lack of an established alternate processing site, as required       site for NEMIS according to DHS 4300A.\n            for systems such as NEMIS that are categorized as \xe2\x80\x9chigh\n            impact\xe2\x80\x9d for availability, has not been requested by FEMA.       \xef\xbf\xbd   Until an alternate processing site is established,\n                                                                                develop and submit an exception for approval in\n                                                                                accordance with DHS policy, and ensure that\n                                                                                compensating controls over the alternate\n                                                                                processing site have been implemented and are\n                                                                                effective,    and    documentation      of    their\n                                                                                effectiveness is maintained as auditable records.\n\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 20 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                             Condition                                              Recommendation\n                                                                                                                                   Issue    Issue   Rating\nFEMA-IT\xc2\xad    The FEMA domain security policy is configured to               \xef\xbf\xbd   Configure the FEMA LAN domain security                        X        2\n  10-03     enforce activation of a password-protected screensaver on          policy to automatically activate a password-\n            end-user workstations after 15 minutes of inactivity, rather       protected screensaver on end-user workstations\n            than the five minute inactivity threshold required by DHS          after five minutes of inactivity, consistent with\n            policy.                                                            DHS policy.\n                                                                           \xef\xbf\xbd   Implement appropriate management controls to\n                                                                               ensure       timely      communication      and\n                                                                               implementation of existing and future DHS\n                                                                               information security policy requirements\n                                                                               pertaining to the configuration of FEMA end user\n                                                                               workstations, and to periodically assess system\n                                                                               controls to determine compliance.\nFEMA-IT\xc2\xad    As noted during our FY 2009 audit procedures,                  \xef\xbf\xbd   Revise the SOP, Monitoring Sensitive Access to                X        3\n  10-04     weaknesses exist in processes related to logging,                  NEMIS, to ensure that it states that the scope of\n            monitoring, and retaining audit logs on system software            the procedures includes operating systems on all\n            and operating systems supporting NEMIS. Specifically,              servers within system boundaries as defined in\n            policies and procedures related to the monitoring of               up-to-date NEMIS system documentation.\n            activity on system software and operating systems\n            supporting NEMIS have not been revised to include all          \xef\xbf\xbd   Acquire and deploy appropriate tools on operating\n            identified operating systems and IT components that                systems and servers supporting NEMIS to\n            comprise the system boundary for the NEMIS application.            generate audit trails and records in accordance\n                                                                               with FEMA and DHS policy.\n            Additionally, controls have not been configured and\n                                                                           \xef\xbf\xbd   Implement the SOP, Monitoring Sensitive Access\n            appropriately implemented to log, monitor, or retain\n                                                                               to NEMIS, by reviewing and retaining audit trails\n            sufficiently detailed audit logs for activity on NEMIS\n                                                                               and records in accordance with FEMA and DHS\n            operating systems and servers.\n                                                                               policy.\nFEMA-IT\xc2\xad    As identified during the FY 2009 audit engagement, PARS        \xef\xbf\xbd   Document and implement a formal process to                    X        3\n  10-05     database security controls are not appropriately established       implement appropriate controls to ensure that\n            as noted below:                                                    inactive PARS database accounts are disabled in\n                                                                               accordance with DHS policy.\n             \xef\xbf\xbd PARS database accounts are not reviewed to identify\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 21 \n \n\n\x0c                                                                                                                                                  Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                     New     Repeat    Risk\nNFR No.                            Condition                                                Recommendation\n                                                                                                                                     Issue    Issue   Rating\n               accounts that have been inactive for 45 days or more,       \xef\xbf\xbd   Configure PARS database accounts in accordance\n               as required by DHS policy for high impact systems.              with DHS and FEMA requirements for passwords\n           \xef\xbf\xbd   Strong passwords and authenticator controls are not             and authenticator controls, including expiration,\n               implemented for PARS database accounts in                       reuse, and complexity.\n               accordance with FEMA and DHS policy.                        \xef\xbf\xbd   Document and implement system-specific\n               Specifically:                                                   processes for generating and performing reviews\n               \xef\xbf\xbd   A minimum password length is not set;                       of PARS database audit logs and retaining\n                                                                               auditable evidence of review in accordance with\n               \xef\xbf\xbd   Password complexity is not enforced to require              FEMA and DHS policy. Additionally, ensure that\n                   passwords that include a combination of                     all DHS requirements are met through this\n                   upper/lowercase letters, numbers, and special               process, including appropriate supervisory review\n                   characters or to restrict the use of dictionary             and segregation of duties principles.\n                   words as passwords;\n                                                                           \xef\xbf\xbd   Configure PARS database audit logs to capture\n               \xef\xbf\xbd   Reuse of previous passwords is not prohibited;              and retain auditable events in accordance with\n                                                                               FEMA and DHS policy.\n               \xef\xbf\xbd   Passwords are not configured to expire or be\n                   changed after a pre-determined length of time;          \xef\xbf\xbd   Further define and establish a formal process for\n                   and                                                         granting initial access and recertifying access\n                                                                               specifically to the PARS database that includes\n               \xef\xbf\xbd   Accounts are not configured to disable after a              appropriate approval from FEMA management\n                   pre-determined number of consecutive invalid                and requirements for temporary and emergency\n                   login attempts.                                             access, in accordance with DHS guidance.\n           \xef\xbf\xbd   System-specific policies and procedures have not\n               been developed for the PARS Oracle database, and            Please      see      NFR      FEMA-IT-10-48         for\n               existing policies and procedures inherited from the         recommendations related to the periodic review and\n               IFMIS application operating environment do not              assessment of security controls in place to ensure that\n               adequately describe implementation of FEMA                  corrective actions are appropriately implemented over\n               policies for the generation, review, and retention of all   identified security weaknesses.\n               required auditable events.\n           \xef\xbf\xbd   Database audit logs are not configured to capture\n               auditable events, including failed login attempts and\n\n          Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                             Page 22 \n \n\n\x0c                                                                                                                                        Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                          New     Repeat    Risk\nNFR No.                           Condition                                            Recommendation\n                                                                                                                          Issue    Issue   Rating\n                administrator-level actions, as required by FEMA and\n                DHS policy.\n            \xef\xbf\xbd   Although a periodic recertification of PARS database\n                access accounts is performed to ensure that access is\n                still necessary and appropriate for each individual,\n                policies and procedures over the management of\n                accounts on the PARS Oracle database do not specify\n                requirements for performing a periodic recertification\n                of database accounts to validate the continued\n                appropriateness of access. Additionally, the FY 2010\n                recertification of PARS Oracle database user accounts\n                was not completed consistently and in accordance\n                with FEMA requirements. Specifically, of a selection\n                of recertification forms for five PARS database user\n                accounts requested, four forms recertified access for\n                contractors without documented Contracting Officer\xe2\x80\x99s\n                Technical Representative (COTR) approval.\n            \xef\xbf\xbd   Authorization of initial access for the PARS database\n                is not consistently completed in accordance with\n                FEMA and DHS policy. Specifically, of a selection of\n                three PARS database access forms requested:\n                \xef\xbf\xbd   Two user accounts were granted to contractors\n                    without the required COTR signature.\n                \xef\xbf\xbd   One account was identified by Financial Systems\n                    Section (FSS) personnel as an IFMIS system\n                    account. However, no documentation justifying\n                    or authorizing the use of this system account was\n                    provided.\nFEMA-IT\xc2\xad    During the FY 2010 audit engagement, we noted that           Configure all NEMIS Oracle databases to ensure             X        3\n  10-06     FEMA has made improvements over the management of            compliance with effective DHS and FEMA policy\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 23 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                  New     Repeat    Risk\nNFR No.                            Condition                                             Recommendation\n                                                                                                                                  Issue    Issue   Rating\n            NEMIS Oracle database password controls for IT               requirements for passwords and authenticator control\n            Operations database administrator accounts, specifically     requirements, including expiration, reuse, length and\n            by configuring a 104-day password lifetime. However, the     complexity.\n            following weaknesses noted in FY 2009 continue to exist\n            in FY 2010 for the four databases selected for testing:\n            \xef\xbf\xbd   A password complexity verification function is not\n                configured   to  require    a    combination    of\n                upper/lowercase letters, numbers, and special\n                characters.\n            \xef\xbf\xbd   Reuse of previous passwords is not prohibited.\n            \xef\xbf\xbd   No minimum password length is enforced.\nFEMA-IT-    FEMA has made improvements over the management of            Configure the IFMIS-Merger Oracle database to                      X        3\n  10-07     IFMIS-Merger Oracle database passwords by configuring        ensure compliance with effective DHS and FEMA\n            the system to retain a history of the previous ten           policy requirements regarding the reuse of user\n            passwords. However, upon inspection of additional            passwords.\n            database password parameters, we determined that the\n            password history for the ten previous passwords is only\n            retained for 30 days.        Therefore, after the 30 day\n            timeframe, the password history is erased, allowing the\n            user to potentially use one of the previous ten passwords.\nFEMA-IT-                                                                                                                           X                 3\n            During the FY 2010 audit engagement, we selected four        Configure all NEMIS Oracle databases to ensure\n  10-08\n            NEMIS Oracle databases for testing and noted that each is    compliance with effective DHS and FEMA policy\n            configured to lock accounts after three consecutive failed   requirements for account lockouts due to failed login\n            login attempts and to remain locked for 415 seconds (7.5     attempts.\n            minutes) before being unlocked.\n\nFEMA-IT-    As noted during the FY 2009 audit engagement, the            \xef\xbf\xbd   Revise the SOP for Handling of Oracle Audit                    X        3\n  10-09     following weaknesses over audit logging controls for the         Logs to ensure that procedures over requirements\n            NEMIS Oracle databases continue to exist in FY 2010:             for logging and monitoring auditable activities on\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 24 \n \n\n\x0c                                                                                                                                                  Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                    New     Repeat    Risk\nNFR No.                             Condition                                               Recommendation\n                                                                                                                                    Issue    Issue   Rating\n            \xef\xbf\xbd   The FEMA IT Operations Branch Standard Operating                all NEMIS databases are documented in\n                Procedure (SOP) for Handling of Oracle Audit Logs               accordance with DHS and FEMA guidance and\n                has not been updated. Specifically:                             the process for audit log review is appropriately\n                                                                                implemented for all databases within the NEMIS\n                \xef\xbf\xbd   The scope section of the SOP does not list all              system boundary.\n                    Oracle databases identified that comprise the\n                    NEMIS data processing environment.                      \xef\xbf\xbd   Implement database configurations on all NEMIS\n                                                                                databases in accordance with DHS and FEMA\n                \xef\xbf\xbd   The SOP has not been updated to address all DHS             policy and procedures over required auditable\n                    policy requirements surrounding audit trails and            events and activities.\n                    activity monitoring.      Specifically, successful\n                    logins, access modifications, highly privileged         \xef\xbf\xbd   Dedicate the appropriate resources and implement\n                    user account activity, and changes to user profiles         the appropriate automated tools or establish\n                    are not required to be logged and reviewed.                 manual processes to collect, review, and retain\n                                                                                auditable activities on all NEMIS databases, to\n                \xef\xbf\xbd   The SOP specifies that database administrators              ensure compliance with DHS and FEMA policy.\n                    will review Oracle audit records, which is a\n                    violation of segregation of duties principles that\n                    require an independent review of system activity.\n            \xef\xbf\xbd   On the four NEMIS databases selected for testing,\n                configurations are not fully enabled so that a review of\n                audit trails and activity defined by DHS policy\n                requirements can be completed. Specifically, only\n                failed login attempts are recorded in the audit trails of\n                all database user accounts.\nFEMA-IT\xc2\xad    As noted during the FY 2009 audit engagement, we                \xef\xbf\xbd   Develop, document, fully implement, and                       X        2\n  10-10     determined that weaknesses over the tracking of FEMA                communicate formal policies and procedures,\n            contractors continue to exist in FY 2010. Specifically:             according to DHS guidelines and requirements,\n                                                                                for centrally tracking all contractors throughout\n            \xef\xbf\xbd   FEMA does not have a formal process for centrally\n                                                                                the on-boarding, termination, and transfer\n                and adequately tracking FEMA contractors throughout\n                                                                                processes. Ensure policies and procedures\n                the on-boarding, termination, and transfer processes.\n                                                                                include:\n                As a result, FEMA could not provide a complete\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 25 \n \n\n\x0c                                                                                                                                                    Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                      New     Repeat    Risk\nNFR No.                            Condition                                               Recommendation\n                                                                                                                                      Issue    Issue   Rating\n                listing of all contractors working for FEMA.\n                                                                              \xe2\x80\xa2   The assignment of roles and responsibilities to\n                                                                                  appropriate   FEMA       management        and\n            \xef\xbf\xbd   The process established for notifying FEMA OCIO                   stakeholders.\n                management, including IT system administrators, of\n                                                                              \xef\xbf\xbd   Procedures to ensure that COTRs notify the\n                changes in contractor\'s status, so that accounts can be\n                                                                                  FEMA OCIO of changes in contractors\xe2\x80\x99\n                disabled/removed or account profiles can be\n                                                                                  status, including separation or transfer, so that\n                appropriately modified in the required timeframe, is\n                                                                                  accounts can be disabled/removed or account\n                not effective or comprehensive. Specifically, no\n                                                                                  profiles can be appropriately modified in the\n                formal requirements exist for COTRs to notify the\n                                                                                  required timeframe.\n                OCIO of separating contractors.\n                                                                              \xef\xbf\xbd   Establishment of controls for periodically\n                                                                                  monitoring the effectiveness of the process to\n                                                                                  ensure compliance with policy.\n                                                                          \xef\xbf\xbd   Regularly distribute a listing of terminated\n                                                                              contractor personnel to information system\n                                                                              administrators so they can remove user access\n                                                                              timely.\nFEMA-IT\xc2\xad    While FEMA has made improvements over the review of           \xef\xbf\xbd   Revise and implement policies and procedures                      X        3\n  10-11     IFMIS-Merger application activity by documenting                  that document requirements for configuring,\n            responsibilities for performing periodic reviews of super         retaining, and reviewing audit trails for the\n            user account activities, the following weaknesses noted in        IFMIS-Merger     application   and    database,\n            FY 2009 continue to exist in FY 2010:                             including defined roles and responsibilities, in\n                                                                              accordance with DHS and FEMA policy.\n            \xef\xbf\xbd   Existing policies and procedures, including FEMA\n                Interim CFO Directive 2600-21, IFMIS User Access          \xef\xbf\xbd   Implement configurations on the IFMIS-Merger\n                and Termination, and FEMA SOP 2000-002,                       application and database to ensure that audit logs\n                Monitoring of IFMIS Database Audit Log, do not                record required auditable events and activities, in\n                require the generation, review, or retention of audit         accordance with DHS and FEMA policy.\n                logs for all activities required by FEMA and DHS\n                policy.                                                   \xef\xbf\xbd   Implement appropriate management controls to\n                                                                              ensure timely communication and implementation\n            \xef\xbf\xbd   Failed database (Oracle) and application (UNIX) login         of existing and future DHS information security\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 26 \n \n\n\x0c                                                                                                                                                    Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                      New     Repeat    Risk\nNFR No.                            Condition                                                Recommendation\n                                                                                                                                      Issue    Issue   Rating\n                attempts and activity performed by application users           policy    requirements     pertaining   to    the\n                with the \xe2\x80\x9csuper user\xe2\x80\x9d role remain the only forms of            configuration of audit logs on the IFMIS-Merger\n                activity logged and monitored for IFMIS-Merger.                application and database, and to periodically\n                Other types of activity required by FEMA and DHS               assess system controls to determine compliance.\n                policy,    including   successful   logins,   access\n                modifications, and changes to user profiles, are not\n                logged or monitored.\n            \xef\xbf\xbd   While we noted that logging of users accessing or\n                attempting to access the IFMIS-Merger application is\n                enabled and distributed to appropriate independent\n                reviewers, evidence of review of application login\n                attempts is not documented.\n            Additionally, we noted the following weaknesses related\n            to reviews of activity of super users within the IFMIS\xc2\xad\n            Merger application:\n            \xef\xbf\xbd   Activity of users with elevated privileges is logged\n                and reviewed on a weekly basis. However, FEMA\n                policy requires that audit records be captured and\n                reviewed at least every three (3) days.\n            \xef\xbf\xbd   Review of super user activity is performed by an\n                individual with super user privileges within the\n                application, in conflict with segregation of duties\n                principles.\nFEMA-IT\xc2\xad    The following weaknesses noted in FY 2009 continued to         There is no recommended corrective action specific to                X        3\n  10-12     exist in FY 2010:                                              this finding because of the decommissioning of G&T\n                                                                           IFMIS in June 2010. Any G&T IFMIS accounts\n            \xef\xbf\xbd   G&T IFMIS application user accounts were not               which now exist on the IFMIS \xe2\x80\x93 Merger instance will\n                consistently approved or authorized prior to initial       need to be included in recertification efforts that will\n                account creation or modification of account privileges.    be performed by FEMA as corrective action to\n                Of the 25 active application users selected for testing,   remediate NFR FEMA-IT-10-14, which cites a lack of\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 27 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                  New     Repeat    Risk\nNFR No.                            Condition                                              Recommendation\n                                                                                                                                  Issue    Issue   Rating\n                FEMA was unable to provide adequate documented            consistent recertification of Core/Merger IFMIS\n                evidence that creation of, or modifications to, account   accounts, to ensure that all migrated G&T IFMIS\n                privileges for 22 accounts were properly authorized.      accounts are appropriately authorized.\n                Specifically:\n                \xef\xbf\xbd   Documentation for 10 accounts did not evidence\n                    that access was authorized by the OCFO.\n                \xef\xbf\xbd   Documentation for 11 accounts indicated that\n                    access was authorized by the OCFO after the\n                    modifications to the account privileges were\n                    performed.\n                \xef\xbf\xbd   Documentation for 1 account was not available.\n            \xef\xbf\xbd   G&T IFMIS Oracle database user accounts were not\n                consistently approved or authorized prior to initial\n                account creation.      Specifically, of the 8 active\n                database user accounts selected for testing, FEMA\n                was unable to provide documented evidence that the\n                initial account creation of 2 accounts in FY 2010 was\n                authorized.\n            While we noted that the planned merger of the G&T\n            IFMIS and Core IFMIS instances occurred in February\n            2010 and the existing G&T IFMIS Oracle database and\n            application server was decommissioned in June 2010, the\n            weaknesses over the financial data existed for the majority\n            of the fiscal year.\nFEMA-IT\xc2\xad    As noted during the FY 2009 audit engagement,                 There is no recommended corrective action specific to             X        3\n  10-13     weaknesses in G&T IFMIS Oracle database audit logging         this finding because of the decommissioning of G&T\n            controls continued to exist in FY 2010. Specifically,         IFMIS in June 2010.\n            Oracle database audit trails were not configured to capture\n            any activity, including failed login attempts or\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 28 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                              Recommendation\n                                                                                                                                   Issue    Issue   Rating\n            administrator-level actions as required by FEMA and DHS\n            guidance.\n\n            While we noted that the planned merger of the G&T\n            IFMIS and Core IFMIS instances occurred in February\n            2010 and the existing G&T IFMIS Oracle database was\n            decommissioned in June 2010, the weaknesses over the\n            financial data existed for the majority of the fiscal year.\nFEMA-IT\xc2\xad    During the FY 2010 audit procedures, we noted that            \xef\xbf\xbd   Dedicate resources to fully implement FEMA and                 X        3\n  10-14     weaknesses which existed in FY 2009 related to the                DHS requirements for a recertification of all\n            recertification of IFMIS application accounts continue to         IFMIS-Merger application accounts at least\n            exist. Specifically, although the Core IFMIS application          annually, including revoking access for any\n            user accounts were recertified in January 2010 prior to the       accounts not currently in compliance with the\n            merge of the G&T and Core IFMIS applications, we                  annual recertification.\n            determined that the recertification of the Core IFMIS\n            accounts was not properly completed. Of the 25 active         \xef\xbf\xbd   Identify and implement appropriate monitoring\n            application accounts selected, FEMA was unable to                 controls to ensure continued compliance with\n            provide documented evidence that three of the accounts            recertification requirements for the IFMIS-\n            were recertified by the system owner to validate the              Merger application.\n            continued appropriateness of the account, as required by\n            FEMA and DHS policy. Furthermore, these accounts then\n            remained on the IFMIS-Merger application after the\n            merger of the applications occurred.\nFEMA-IT\xc2\xad    During the FY 2010 audit engagement, we noted that the        There is no recommended corrective action specific to              X        3\n  10-15     weaknesses over the recertification of G&T IFMIS              this finding because of the decommissioning of G&T\n            application and Oracle database users noted in FY 2009        IFMIS in June 2010. Any G&T IFMIS accounts\n            continued to exist. Specifically, a management review to      which now exist on the IFMIS \xe2\x80\x93 Merger instance will\n            validate the appropriateness of G&T IFMIS application         be included in recertification efforts that need to be\n            and Oracle database user accounts was not formally            performed by FEMA as corrective action to remediate\n            implemented or performed by the OCFO/Financial System         NFR FEMA-IT-10-14, which cites a lack of\n            Section (OCFO-FSS) this fiscal year.                          consistent recertification of Core/Merger IFMIS\n                                                                          accounts.\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 29 \n \n\n\x0c                                                                                                                                                      Appendix B\n                                                            Department of Homeland Security\n \n\n                                                        Federal Emergency Management Agency \n\n                                                        Information Technology Management Letter \n\n                                                                   September 30, 2010\n\n                                                                                                                                        New     Repeat    Risk\nNFR No.                              Condition                                                Recommendation\n                                                                                                                                        Issue    Issue   Rating\n            We noted that the planned merger of the G&T IFMIS and\n            Core IFMIS instances occurred in February 2010, and the\n            existing G&T IFMIS Oracle database and application\n            server was decommissioned in June 2010. However, prior\n            to the migration of G&T accounts to the IFMIS \xe2\x80\x93 Merger\n            instance in February 2010, a recertification of G&T IFMIS\n            application users did not occur. Therefore, the weaknesses\n            over the recertification of users with access to G&T IFMIS\n            financial data existed for the first two quarters of the fiscal\n            year.\nFEMA-IT\xc2\xad    The merger of Core IFMIS and G&T IFMIS was                        There is no recommended corrective action specific to               X        2\n  10-16     performed in February 2010, and the G&T IFMIS                     this finding because of the decommissioning of G&T\n            application and database server were formally                     IFMIS in June 2010.\n            decommissioned in June 2010. While an ATO was\n            granted for the IFMIS-Merger system by the FEMA CIO\n            on June 4, 2010, prior to the completion of the merged\n            instance, a C&A had not been performed over the G&T\n            IFMIS instance. Consequently, as noted during the prior\n            year FY 2009 audit engagement, G&T IFMIS operated\n            without an ATO prior to its decommissioning.\n\n            In addition, we determined that during the time the system\n            was operational, neither an ISSO nor a Designated\n            Authorizing Authority (DAA) had been formally\n            designated by FEMA management for G&T IFMIS.\nFEMA-IT\xc2\xad    During the FY 2010 audit engagement, we noted the                 \xef\xbf\xbd   Develop and implement policies and procedures          X                 2\n  10-17     following weaknesses regarding specialized training for               requiring initial and periodic specialized training\n            FEMA employees and contractors with significant                       for individuals with significant information\n            information security responsibilities:                                security responsibilities.\n            \xef\xbf\xbd   FEMA has not formally documented or implemented\n                policies and procedures to meet the requirements over         \xef\xbf\xbd   Formally identify specific roles and positions\n                specialized training for FEMA employees and                       possessing significant information security\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 30 \n \n\n\x0c                                                                                                                                                   Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                     New     Repeat    Risk\nNFR No.                            Condition                                               Recommendation\n                                                                                                                                     Issue    Issue   Rating\n                contractors with significant information security              responsibilities that are subject to specialized\n                responsibilities in accordance with DHS policy.                training requirements.\n            \xef\xbf\xbd   With the exception of ISSOs, FEMA has not formally\n                                                                           \xef\xbf\xbd   Develop and implement a mechanism for tracking\n                identified all individuals or positions with significant\n                                                                               and monitoring compliance with specialized\n                information security responsibilities subject to\n                                                                               training requirements for individuals with\n                specialized training requirements.\n                                                                               significant information security responsibilities.\n            \xef\xbf\xbd   FEMA does not track or monitor completion of\n                specialized training for FEMA personnel with critical\n                IT roles.\nFEMA-IT\xc2\xad    In FY 2010, we noted that the NEMIS System Security            \xef\xbf\xbd   Fully identify all hardware and software                        X        2\n  10-18     Plan (SSP) was updated in November 2009. However, we               components of the NEMIS platform and update\n            determined that the following weaknesses continue to               appropriate NEMIS system documentation,\n            exist:                                                             including the SSP, to reflect the current operating\n                                                                               environment as required by DHS policy and\n            \xef\xbf\xbd   NEMIS system boundaries, including identification of\n                                                                               NIST guidance.\n                all hardware and software elements that comprise the\n                NEMIS general support system and subsystems, have          \xef\xbf\xbd   Establish and implement a formal process for\n                not been fully defined.                                        periodically reviewing and assessing system\n                                                                               documentation to ensure that system boundaries\n            \xef\xbf\xbd   FEMA has not documented the assignment of FEMA\n                                                                               and hardware and software components are\n                personnel with security responsibilities for the\n                                                                               accurately reflected.\n                modules and major applications that are classified as\n                NEMIS subsystems within the current NEMIS SSP.             \xef\xbf\xbd   Formally assign and document security\n                                                                               responsibilities of FEMA personnel for all\n                                                                               components of NEMIS, including all identified\n                                                                               modules and major applications.\nFEMA-IT\xc2\xad    During the FY 2010 audit      engagement, we noted the         \xef\xbf\xbd   Formally establish roles and responsibilities          X                 3\n  10-19     following    weaknesses        regarding    configuration          related to oversight and implementation of\n            management over network       devices such as firewalls,           configuration   management   policies    and\n            routers, and switches that    support in-scope financial           procedures for network devices, including\n            systems:                                                           firewalls and routers, supporting financial\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 31 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                           Condition                                             Recommendation\n                                                                                                                                   Issue    Issue   Rating\n                                                                            applications in accordance with DHS and FEMA\n            \xef\xbf\xbd   Comprehensive configuration baselines identifying all       requirements.\n                relevant CIs within the scope of IFMIS and NEMIS\n                                                                        \xef\xbf\xbd   Revise and implement configuration management\n                have not been documented.\n                                                                            policies and procedures over documenting and\n                                                                            maintaining current baseline configurations for\n            \xef\xbf\xbd   FEMA configuration management policies and                  network      devices     supporting     financial\n                procedures     require   the     implementation    of       applications, including IFMIS and NEMIS, to\n                Configuration Status Accounting (CSA), which                ensure DHS and FEMA requirements are\n                includes     recording     approved     configuration       adequately addressed and configuration baselines\n                documentation, performing Configuration Audits              are comprehensively documented by FEMA.\n                (CAs), and documenting physical configuration audits        Additionally, policies and procedures should\n                to assess conformance with established baselines.           include guidance over requirements such as\n                However,      requirements    for   the   frequency,        documentation of baselines, periodic review and\n                documentation, and retention of results of these            auditing, and approval of baseline changes for\n                activities have not been defined in existing FEMA           network devices.\n                policies or procedures. Additionally, the required\n                CSA reports and CAs have not been performed for         \xef\xbf\xbd   Perform required configuration management\n                IFMIS or NEMIS.                                             activities, including periodic CSA and CA\n                                                                            activities, for network devices supporting\n                                                                            financial applications, including IFMIS and\n                                                                            NEMIS, and retain auditable evidence of these\n                                                                            activities as required by FEMA policy.\nFEMA-IT\xc2\xad    Conditions noted in FY 2009 related to weaknesses over      \xef\xbf\xbd   Update the NEMIS IT Contingency Plan in                          X        2\n  10-20     the documentation and testing of the NEMIS contingency          accordance with DHS and NIST requirements for\n            plan continue to exist in FY 2010, as follows:                  systems categorized at the high impact\n                                                                            availability objective. Additionally, ensure that\n            \xef\xbf\xbd   The NEMIS IT Contingency Plan does not adequately\n                                                                            the Contingency Plan comprehensively addresses\n                and comprehensively include information required by\n                                                                            the numerous sub-systems within NEMIS so that\n                DHS policy for systems with high impact availability.\n                                                                            detailed information exists over the current\n                For example, we noted the following weaknesses:\n                                                                            system architecture, critical processing priorities,\n                \xef\xbf\xbd   Detailed information over NEMIS system                  detailed recovery procedures and other required\n                    architecture, such as the database and server           components in accordance with DHS guidance.\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 32 \n \n\n\x0c                                                                                                                                              Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                New     Repeat    Risk\nNFR No.                           Condition                                             Recommendation\n                                                                                                                                Issue    Issue   Rating\n                    names, as well as information over the various      \xef\xbf\xbd   Conduct and document annual tests of the\n                    modules of NEMIS, has not been appropriately            NEMIS Contingency Plan that address all critical\n                    documented to reflect the current operating             phases of the plan, and update the Contingency\n                    environment.                                            Plan with lessons learned, as necessary and in\n                \xef\xbf\xbd   The plan does not sufficiently include details          accordance with DHS and NIST requirements.\n                    necessary to fully restore NEMIS and dependent\n                    subsystems in the event of an emergency.\n                \xef\xbf\xbd   The contingency plan does not specify critical\n                    roles, system resources, or system/application\n                    recovery priorities in sufficient detail to\n                    distinguish between the various modules within\n                    NEMIS.\n                \xef\xbf\xbd   The Business Impact Analysis (BIA) included in\n                    the Contingency Plan was completed in 2004 and\n                    is not adequately documented.\n            \xef\xbf\xbd   Testing of the NEMIS IT contingency plan has not\n                been performed in the past 12 months in accordance\n                with DHS policy.\nFEMA-IT\xc2\xad    We performed a comparison of active IFMIS-Merger,           \xef\xbf\xbd   Identify the root cause(s) associated with                    X        3\n  10-21     G&T IFMIS, and NACS accounts, as well as individuals            separated employees remaining on FEMA\n            with VPN remote access privileges, against a list of FEMA       information systems. As appropriate, revise\n            employees that had separated from employment since              existing procedures or develop additional\n            October 1, 2009 to determine if any separated employees         procedures over removal of separated user access\n            retained active accounts on the applications or remote          to IT systems to address weaknesses that\n            access to the FEMA network. The following weaknesses            contribute to untimely removal of separated\n            were identified:                                                individuals from the systems.\n            \xef\xbf\xbd   11 IFMIS-Merger user accounts remained active and\n                unlocked after the account holder\xe2\x80\x99s separation from     \xef\xbf\xbd   Ensure that procedures are implemented\n                FEMA.                                                       consistently to remove system and application\n                                                                            accounts for all separated users immediately upon\n            \xef\xbf\xbd 3 G&T IFMIS user accounts remained active and                 notification of separation, in accordance with\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 33 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                  New     Repeat    Risk\nNFR No.                            Condition                                             Recommendation\n                                                                                                                                  Issue    Issue   Rating\n                unlocked after the account holder\xe2\x80\x99s separation from          FEMA, DHS and NIST guidance.\n                FEMA.\n                                                                         No corrective action specific to the portion of this\n            \xef\xbf\xbd   164 NACS accounts with NEMIS positions assigned          finding related to G&T IFMIS will be provided\n                at the time of our test work remained active and         because of the decommissioning of that system in\n                unlocked after the account holder\xe2\x80\x99s separation from      June 2010.\n                FEMA.\n            \xef\xbf\xbd   33 individuals retained the ability to access the FEMA\n                network remotely due to active VPN remote access\n                privileges after the account holder\xe2\x80\x99s separation from\n                FEMA. All 33 individuals additionally retained an\n                active NACS account as described above, thus\n                allowing them to potentially access NEMIS as well.\nFEMA-IT\xc2\xad    In FY 2010, we noted that the following conditions           \xef\xbf\xbd   Configure the FEMA LAN to ensure compliance                    X        3\n  10-22     identified in FY 2009 related to FEMA LAN accounts               with DHS and FEMA policy requirements for\n            continue to exist:                                               passwords      and      authenticator      control\n                                                                             requirements, including expiration, reuse, length,\n            \xef\xbf\xbd   The FEMA LAN domain security policy does not\n                                                                             and complexity.\n                enforce password requirements in accordance with\n                DHS policy. Specifically:\n                                                                         \xef\xbf\xbd   Identify and implement appropriate monitoring\n                \xef\xbf\xbd   The FEMA LAN does not enforce a password                 controls to ensure that all accounts on the FEMA\n                    history or prevent reuse of passwords.                   LAN are in compliance with DHS requirements\n                                                                             for authorization. Additionally, ensure that where\n                \xef\xbf\xbd   The FEMA LAN does not enforce complexity                 appropriate policies and procedures are further\n                    requirements, including password length or the           developed and/or revised to ensure consistent\n                    use of mixed-case alphanumeric and special               implementation and include requirements for all\n                    characters, to ensure that strong passwords are          accounts on the FEMA LAN, including generic,\n                    used.                                                    shared group, service, and LAN end-user\n            \xef\xbf\xbd   FEMA was unable to provide evidence of account               accounts not included in the NACS.\n                authorization for 10 Active Directory (AD) individual\n                user accounts created in FY 2010.                        \xef\xbf\xbd   Develop and implement a formal process for\n                                                                             performing a periodic recertification of all FEMA\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 34 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                  New     Repeat    Risk\nNFR No.                            Condition                                              Recommendation\n                                                                                                                                  Issue    Issue   Rating\n            \xef\xbf\xbd   While policies and procedures over the authorization          LAN accounts which defines requirements and\n                of generic, shared group, and service accounts on the         addresses accounts not included during the\n                FEMA LAN have been finalized, approval of these               planned recertification of NEMIS application\n                accounts is not consistently documented according to          access.\n                policy. Specifically, of a selection of 45 generic,\n                group, and service LAN accounts created during FY         \xef\xbf\xbd   Evaluate and, if appropriate, revise existing\n                2010:                                                         procedures over removal of separated user access\n                                                                              to the FEMA LAN to ensure the timely removal\n                \xef\xbf\xbd   2 did not have a clearly defined business need or         of separated individuals from the network.\n                    justification documented;\n                \xef\xbf\xbd   26 did not have IT Security or system owner           \xef\xbf\xbd   Ensure that procedures are implemented\n                    approval documented;                                      consistently to remove FEMA LAN accounts for\n                                                                              all separated users immediately upon notification\n                \xef\xbf\xbd   19 were created prior to supervisory certification;       of separation, in accordance with FEMA, DHS\n                    and                                                       and NIST guidance.\n                \xef\xbf\xbd   2 did not have any authorizing documentation\n                    provided for our review.\n            \xef\xbf\xbd   FEMA has not established procedures and\n                implemented a process over the periodic\n                recertification of FEMA LAN accounts to ensure that\n                access is still necessary and appropriate for each\n                account as required by FEMA and DHS policy.\n            \xef\xbf\xbd   We compared a listing of active FEMA LAN/AD\n                accounts against a list of FEMA employee separations\n                that had occurred since October 1, 2009 and\n                determined that 85 accounts remained active and\n                unlocked after the account holder\xe2\x80\x99s separation from\n                FEMA.\nFEMA-IT\xc2\xad    In FY 2010, we determined that while change                   We recommend that FEMA OCIO and NFIP                              X        2\n  10-23     management procedures have been developed and                 management finalize and implement comprehensive\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 35 \n \n\n\x0c                                                                                                                                            Appendix B\n                                                       Department of Homeland Security\n \n\n                                                   Federal Emergency Management Agency \n\n                                                   Information Technology Management Letter \n\n                                                              September 30, 2010\n\n                                                                                                                              New     Repeat    Risk\nNFR No.                           Condition                                            Recommendation\n                                                                                                                              Issue    Issue   Rating\n            implemented for applications hosted by the NFIP LAN,       patch management policies and procedures for the\n            including Traverse, the documented procedures do not       NFIP LAN supporting Traverse, in accordance with\n            specifically address patch management policies and         DHS policy.       Additionally, FEMA and NFIP\n            procedures for the NFIP LAN in accordance with DHS         management should ensure that these procedures\n            requirements. Specifically, controls over the approval,    include requirements for authorizing, testing, and\n            testing, and deployment of operating system patches are    approving patches to be implemented into production\n            not addressed.                                             and responding to DHS Security Operations Center\n                                                                       and DHS Enterprise Operations Center (EOC)\n                                                                       notifications to ensure compliance with the timely\n                                                                       implementation of required patches.\nFEMA-IT\xc2\xad    During FY 2010, we noted that weaknesses over the C&A      We recommend that NFIP continue to work with the                 X        2\n  10-24     of NFIP continue to exist. Specifically,                   FEMA OCIO to complete the recertification and\n                                                                       accreditation of the NFIP Legacy Services System,\n            \xef\xbf\xbd   FEMA approved Conditional ATOs for the                 including documentation of all required artifacts in\n                NFIP/Legacy System Services (LSS) on May 22, 2009      accordance with applicable DHS policies and Federal\n                and August 20, 2010 for two one-year periods.          guidance.\n                However, we noted that in the absence of a full ATO,\n                DHS policy allows \xe2\x80\x9cinterim\xe2\x80\x9d ATOs only for systems\n                that are either under development testing or in the\n                prototype phase of development, not operational\n                systems such as the NFIP/LSS.          Additionally,\n                \xe2\x80\x9cinterim\xe2\x80\x9d ATOs cannot exceed two consecutive six-\n                month periods.\n            \xef\xbf\xbd   During the initial Conditional ATO period that began\n                on May 22, 2009, FEMA did not complete C&A\n                efforts, including the risk assessment and Security\n                Testing and Evaluation (ST&E) needed to fully assess\n                risk associated with the system, so that a full ATO\n                could be issued. Consequently, from May 2010, when\n                the initial Conditional ATO expired, through August\n                2010 when the second Conditional ATO was\n                approved, the system operated without any\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 36 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                  New     Repeat    Risk\nNFR No.                           Condition                                             Recommendation\n                                                                                                                                  Issue    Issue   Rating\n                authorization.\n            \xef\xbf\xbd   During our audit fieldwork period, NFIP was unable\n                to provide us with evidence that C&A activities\n                required to be performed for a full ATO to be granted\n                had been completed.\nFEMA-IT\xc2\xad    During the FY 2010 audit engagement, we noted that the      \xef\xbf\xbd   Revise and implement current policies and                       X        3\n  10-25     following conditions related to management of FEMA              procedures for documenting, reviewing, and\n            VPN accounts continue to exist:                                 approving all remote access accounts to the\n                                                                            FEMA LAN including VPN and iPass access.\n            \xef\xbf\xbd   The VPN Rules of Behavior for Users Behind\n                                                                            Specifically, roles and responsibilities should be\n                Corporate Firewalls, dated December 5, 2002,\n                                                                            defined to ensure that sufficient resources are\n                requires individual\xe2\x80\x99s manager approval and Enterprise\n                                                                            dedicated to appropriately authorize accounts on\n                Service Desk (ESD) validation of all VPN Access\n                                                                            behalf of the system owner or a designee prior to\n                Request forms prior to granting access. However,\n                                                                            granting remote access, according to FEMA and\n                approval by the system owner or a designated\n                                                                            DHS policy.\n                representative is not required.\n            \xef\xbf\xbd   VPN Access Request forms include an approval block      \xef\xbf\xbd   Develop and implement policies and procedures\n                titled \xe2\x80\x9cFor FEMA OCS Use Only,\xe2\x80\x9d and the form states         to perform a periodic recertification of all remote\n                that all VPN requests must be approved by the FEMA          user access and retain auditable records as\n                Office of Cyber Security (OCS). However, OCS does           evidence that recertifications are conducted and\n                not currently exist as a FEMA Division due to               completed in accordance with DHS and FEMA\n                FEMA\xe2\x80\x99s reorganization. Consequently, existing               policy.\n                policies and procedures do not reflect the current\n                security management structure at FEMA nor do they\n                assign responsibility to a current entity within the\n                agency.\n            \xef\xbf\xbd   A periodic recertification of FEMA VPN access\n                accounts is not currently performed to ensure that\n                remote access is still necessary and appropriate for\n                each individual.\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 37 \n \n\n\x0c                                                                                                                     Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                        New     Repeat    Risk\nNFR No.                           Condition                                     Recommendation\n                                                                                                        Issue    Issue   Rating\n           \xef\xbf\xbd   Of the selection of 45 VPN Access Request forms\n               reviewed:\n               \xef\xbf\xbd   Two did not specify the date that access was\n                   approved by the requestor\xe2\x80\x99s supervisor.\n               \xef\xbf\xbd   Three were granted supervisory approval after\n                   VPN access was established for the user.\n               \xef\xbf\xbd   The section of each form that required \xe2\x80\x9cOCS\xe2\x80\x9d\n                   level review and approval was not completed.\n           Additionally, we conducted further testwork over remote\n           access granted through the iPass utility, which is used to\n           provide dial-up access to the FEMA network via the VPN\n           gateway. This access is managed through a separate\n           access authorization process from VPN. During our\n           testwork, we noted the following new conditions in FY\n           2010 related to management of access to iPass:\n           \xef\xbf\xbd   While iPass User Agreement forms require Section\n               Chief (or equivalent) approval and IT certification for\n               iPass remote access, requests are not approved by the\n               system owner or a designated representative, as\n               required by DHS policy. Additionally, policies and\n               procedures do not exist related to the granting and\n               management of users of the iPass remote dial-up\n               utility.\n           \xef\xbf\xbd   Of the selection of 45 iPass User Agreement forms\n               reviewed:\n               \xef\xbf\xbd   Three did not specify the date that access was\n                   approved by the requestor\xe2\x80\x99s section chief (or\n                   equivalent).\n\n          Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                             Page 38 \n \n\n\x0c                                                                                                                                             Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                               New     Repeat    Risk\nNFR No.                           Condition                                            Recommendation\n                                                                                                                               Issue    Issue   Rating\n                \xef\xbf\xbd   One was granted supervisory approval after VPN\n                    access was established for the user.\n                \xef\xbf\xbd   One was granted supervisory approval by the\n                    same individual that the requested VPN account\n                    was for, indicating a violation of segregation of\n                    duties in the management review and approval of\n                    information system access.\nFEMA-IT\xc2\xad    The following weaknesses noted in FY 2009 continue to       \xef\xbf\xbd   Identify and implement appropriate monitoring                X        3\n  10-26     exist in FY 2010:                                               controls to ensure compliance with initial\n                                                                            authorization and modification requirements for\n            \xef\xbf\xbd   IFMIS-Merger application user accounts were not\n                                                                            accounts on the IFMIS-Merger application.\n                properly approved or authorized. Specifically, of the\n                25 active application users selected for review, FEMA\n                was unable to provide documented evidence that          \xef\xbf\xbd   Document policies and procedures over the\n                initial account creation or the most recent                 periodic recertification of all accounts on the\n                modifications to account privileges for 6 accounts          IFMIS-Merger database.\n                were authorized.\n                                                                        \xef\xbf\xbd   Dedicate resources to fully implement FEMA and\n            \xef\xbf\xbd   Policies and procedures over the management of              DHS requirements for a recertification of all\n                accounts on the IFMIS-Merger Oracle database do not         IFMIS-Merger database accounts at least\n                specify requirements for performing a periodic              annually, including revoking access for any\n                recertification of database accounts to validate the        accounts not currently in compliance with the\n                continued appropriateness of access.                        annual recertification.\n            \xef\xbf\xbd   IFMIS-Merger Oracle database user accounts were not\n                properly approved or authorized. Specifically, of the   \xef\xbf\xbd   Identify and implement appropriate monitoring\n                eight active database users selected for review,            controls to ensure compliance with initial\n                approval for six user accounts was not documented           authorization, modification, and periodic\n                prior to creation of the accounts. Approval was not         recertification requirements for accounts on the\n                documented for these accounts until after the audit         IFMIS-Merger database.\n                request for documentation was received.\n            \xef\xbf\xbd   The FY 2010 recertification of IFMIS-Merger Oracle\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 39 \n \n\n\x0c                                                                                                                                                  Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                    New     Repeat    Risk\nNFR No.                             Condition                                               Recommendation\n                                                                                                                                    Issue    Issue   Rating\n                database user accounts was neither completed\n                consistently nor in accordance with FEMA policy.\n                Specifically, we requested a selection of recertification\n                forms for eight IFMIS-Merger database user accounts\n                and determined that three were granted to contractors,\n                but COTR approval was not documented.\nFEMA-IT\xc2\xad    As noted during the FY 2009 audit engagement, the               There is no recommended corrective action specific to             X        3\n  10-27     following weaknesses in G&T IFMIS Oracle database user          this finding because of the decommissioning of G&T\n            account password controls continued to exist in FY 2010:        IFMIS in June 2010.\n            \xef\xbf\xbd   We determined that FEMA performed manual reviews\n                of inactive G&T IFMIS database accounts on a\n                monthly basis to disable accounts which had not been\n                used in the prior 90 days. However, since G&T\n                IFMIS is categorized as a high impact system, reviews\n                are required to disable accounts that have been\n                inactive for 45 days, according to DHS policy.\n            \xef\xbf\xbd   The G&T IFMIS database account security policy did\n                not enforce password requirements in accordance with\n                DHS policy. Specifically:\n                \xef\xbf\xbd   The database did not enforce a password history\n                    or prevent reuse of passwords.\n                \xef\xbf\xbd   The database did not enforce complexity\n                    requirements, including definition of a password\n                    verification function to ensure strong passwords\n                    are used. Specifically, password length and\n                    requirements over the use of mixed-case,\n                    alphanumeric and special characters to enforce\n                    restrictions over the use of dictionary words, are\n                    not defined.\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 40 \n \n\n\x0c                                                                                                                                          Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                            New     Repeat    Risk\nNFR No.                           Condition                                            Recommendation\n                                                                                                                            Issue    Issue   Rating\n                \xef\xbf\xbd   The database did not enforce password expiration\n                    after a predetermined length of time.\n            \xef\xbf\xbd   FEMA had not established a formal process for\n                approving emergency and temporary access to the\n                G&T IFMIS database that is compliant with DHS\n                requirements. Specifically, emergency and temporary\n                access to the database for individuals with elevated\n                privileges,   including     access     for contractor\n                development personnel, is approved by the FSS Chief\n                and/or his/her staff, not by the FEMA Chief\n                Information Security Officer (CISO) or a designee, as\n                required by DHS policy. Additionally, a formal\n                process specifically addressing procedures for the\n                granting of temporary access to the database and\n                ensuring that access is removed in a timely manner\n                was not documented within existing IFMIS access\n                control policies and procedures. Furthermore, we\n                determined that through this process the G&T IFMIS\n                Oracle database access was granted to contracted\n                development personnel in order to implement database\n                changes to G&T IFMIS, which continues to conflict\n                with segregation of duties principles.\n            While we noted that the merger of the G&T IFMIS and\n            Core IFMIS instances occurred in February 2010 and the\n            existing     G&T      IFMIS       Oracle     database was\n            decommissioned in June 2010, the weaknesses noted\n            existed for the majority of the fiscal year.\nFEMA-IT\xc2\xad    Weaknesses noted in FY 2009 over C&A of the FEMA            \xef\xbf\xbd   Continue to fully identify and decouple all               X        3\n  10-28     LAN and subsystems that host in-scope financial                 components of the FSN-2 platform, including\n            applications continue to exist in FY 2010. During our FY        regional LANs and GSSs, which host or support\n            2010 audit engagement, we noted that FEMA has                   IFMIS and NEMIS, and perform all required\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 41 \n \n\n\x0c                                                                                                                                            Appendix B\n                                                       Department of Homeland Security\n \n\n                                                   Federal Emergency Management Agency \n\n                                                   Information Technology Management Letter \n\n                                                              September 30, 2010\n\n                                                                                                                               New     Repeat    Risk\nNFR No.                           Condition                                            Recommendation\n                                                                                                                               Issue    Issue   Rating\n           classified regional LANs as subsystems and included them         C&A activities over each component as required\n           within the defined system boundary of the FEMA                   by DHS policy and NIST guidance.\n           Switched Network (FSN)-2. We noted the following\n           weaknesses in the C&A of the FSN-2 General Support           \xef\xbf\xbd   Formally assign and document security\n           System (GSS) that includes the FEMA LANs:                        responsibilities for all components of the FSN-2\n                                                                            platform, including regional LANs and GSSs,\n           \xef\xbf\xbd   The FSN-2 GSS C&A was not completed in\n                                                                            which host or support IFMIS and NEMIS.\n               compliance with DHS and NIST requirements and has\n               not been updated to accurately reflect the current GSS\n               environment. Specifically:\n               \xef\xbf\xbd   The authorizing officials and individuals noted as\n                   responsible for the security roles for multiple\n                   regional LANs and subsystems are not accurately\n                   reflected in the SSP included in the C&A package\n                   as employees with specified roles no longer work\n                   for FEMA in the capacity noted.\n               \xef\xbf\xbd   While the Maryland National Processing Service\n                   Center is identified as a subsystem in the\n                   overarching FSN-2 GSS C&A package SSP,\n                   C&A activities have not been performed over this\n                   subsystem.\n               \xef\xbf\xbd   DHS policy requires annual testing of IT\n                   contingency plans for information systems with a\n                   high impact availability categorization, such as\n                   the FSN-2 GSS. However, the most recent test of\n                   the FSN-2 IT contingency plan was performed\n                   and documented during FY 2008.\n               \xef\xbf\xbd   DHS policy requires that risk assessments be\n                   conducted for information systems no less\n                   frequently than every three years. However, the\n                   most recent ST&E was documented during FY\n          Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                             Page 42 \n \n\n\x0c                                                                                                                                        Appendix B\n                                                       Department of Homeland Security\n \n\n                                                   Federal Emergency Management Agency \n\n                                                   Information Technology Management Letter \n\n                                                              September 30, 2010\n\n                                                                                                                          New     Repeat    Risk\nNFR No.                           Condition                                           Recommendation\n                                                                                                                          Issue    Issue   Rating\n                    2006.\n            \xef\xbf\xbd   The most recent ATO granted by the FEMA CIO\n                expired on January 22, 2010, and the FSN-2 GSS is\n                currently operating without authorization from FEMA\n                management.\n            \xef\xbf\xbd   Although the C&A package references various\n                subsystems supporting and hosting IFMIS and\n                NEMIS, FEMA management was unable to identify\n                and confirm the FSN-2 subsystems (including regional\n                LANs) that host the production servers for NEMIS\n                and IFMIS applications. Consequently, we were\n                unable to test the hosting environment supporting\n                financial applications in-scope for the FY 2010\n                environment.\nFEMA-IT\xc2\xad    During the FY 2009 audit engagement, we noted that a       \xef\xbf\xbd   Formally designate an ISSO for the PARS web              X        3\n  10-29     C&A of PARS had not been performed and the system had          server and application environment.\n            not received an ATO since becoming operational in the\n            FEMA environment. While improvements were noted in         \xef\xbf\xbd   Certify and accredit the PARS web server and\n            this condition for FY 2010, we determined that the             application       environment,     including\n            following C&A weaknesses over PARS continue to exist:          documentation of all required artifacts in\n                                                                           accordance with applicable DHS policies and\n            \xef\xbf\xbd   In FY 2010, the PARS database was included within          Federal guidance.\n                the accreditation boundary for the IFMIS-Merger\n                system, which was granted an ATO in June 2010.\n                However, prior to that date, the PARS database was\n                not certified and accredited and consequently,\n                operated without an ATO for the majority of FY\n                2010.\n\n            \xef\xbf\xbd   All other system components of PARS, including the\n                web and application servers, continued to operate\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 43 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                               Recommendation\n                                                                                                                                   Issue    Issue   Rating\n                without an ATO, and evidence that C&A efforts for\n                these components of PARS were completed and\n                approved by FEMA management could not be\n                obtained from FEMA for review during the FY 2010\n                audit engagement.\n\n            \xef\xbf\xbd   At the time of our test procedures, an ISSO had not\n                been formally designated by FEMA management for\n                the PARS web server and application. While we were\n                informed by FEMA IT Security Management that the\n                PARS database was administered by an ISSO under\n                the Core IFMIS, we determined that no formal\n                designation of this responsibility was assigned until\n                FY 2010 because the PARS database was not\n                included in the C&A boundary for Core IFMIS and no\n                additional designation letters were issued. As a result,\n                the PARS database did not have a formal designation\n                of security responsibilities for the majority of the\n                fiscal year.\nFEMA-IT\xc2\xad    As noted during the FY 2009 audit engagement related to        Document and implement a formal process for                       X        3\n  10-30     Core IFMIS, we determined that weaknesses over the             granting emergency and temporary access to the\n            authorization of emergency and temporary access to the         IFMIS-Merger database that includes guidance over\n            IFMIS \xe2\x80\x93 Merger Oracle database continue to exist in FY         all types of accounts authorized for temporary and\n            2010. Specifically, FEMA has not established a formal          emergency      access,   segregation     of    duties\n            process for approving emergency and temporary access to        considerations, and appropriate approval from FEMA\n            the IFMIS-Merger database that is compliant with DHS           management in accordance with DHS policy.\n            requirements. During our FY 2010 testing, we determined\n            that emergency and temporary access to the database for\n            individuals with elevated privileges, including access for\n            contractor development personnel, is approved by the FSS\n            Chief and/or his/her staff, not by the FEMA CISO or a\n            designee, as required by DHS policy. Additionally, a\n            formal process specifically addressing procedures for the\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 44 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n \n\n                                                      Information Technology Management Letter \n \n\n                                                                 September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                             Condition                                              Recommendation\n                                                                                                                                   Issue    Issue   Rating\n            granting of temporary access to the database and ensuring\n            that access is removed in a timely manner has not been\n            documented within existing IFMIS-Merger access control\n            policies and procedures.\n\n            Furthermore, we determined that through this process the\n            IFMIS-Merger Oracle database access is granted to\n            contracted development personnel in order to implement\n            database changes to IFMIS-Merger, which continues to\n            conflict with segregation of duties principles.\nFEMA-IT\xc2\xad    During our unannounced enhanced security testing               Formally approve and implement procedures for                     X        3\n  10-31     performed during the FY 2010 audit engagement, we              managing security incidents. Specifically, procedures\n            noted that the FEMA Security Operations Center (SOC)           should clearly outline roles and responsibilities\n            proactively tracked and reported incidents related to social   required to maintain a continuous incident response\n            engineering attempts performed at FEMA headquarters            capability and define processes related to the\n            and regional offices through implemented ad hoc                identification, evaluation, and resolution of all\n            processes. However, weaknesses noted during the FY             security incidents, as required by DHS and FEMA\n            2009 audit engagement related to FEMA\xe2\x80\x99s incident               policy.\n            response program continue to exist in FY 2010.\n\n            Specifically, standard operating procedures for the\n            management of FEMA IT security incidents have not been\n            formally approved and implemented by FEMA\n            management. Consequently, FEMA has not implemented\n            DHS policy requirements to establish a documented and\n            formally approved component-level incident response\n            framework or capability, including roles, responsibilities,\n            and processes related to the identification, evaluation, and\n            resolution of all security incidents.\nFEMA-IT\xc2\xad    In FY 2009, we identified weaknesses over FEMA\xe2\x80\x99s patch         Further dedicate resources to document and fully                  X        3\n  10-32     management program as it relates to Core IFMIS and             implement comprehensive system-specific patch\n            G&T IFMIS. During the FY 2010 audit engagement, we             management procedures to ensure that IFMIS-Merger\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 45 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                  New     Repeat    Risk\nNFR No.                            Condition                                             Recommendation\n                                                                                                                                  Issue    Issue   Rating\n            determined that while FEMA has finalized and formally        operating system and database patches are tested and\n            implemented the FEMA Office of the Chief Information         deployed in a timely manner, in accordance with DHS\n            Officer (OCIO) Standard Operating Procedure (SOP) for        and FEMA policy.\n            Vulnerability Patch Management, the SOP was not\n            approved until April 8, 2010. Consequently, FEMA did         No corrective action specific to the portion of this\n            not have a formal patch management procedure applicable      finding related to G&T IFMIS will be provided\n            to the IFMIS environments for a majority of the fiscal       because of the decommissioning of that system in\n            year. Given the timing of the SOP\xe2\x80\x99s approval, the patch      June 2010.\n            management procedures could not be implemented when\n            G&T IFMIS was operational as it was merged with Core\n            IFMIS in February 2010.\n\n            Additionally, we determined that FEMA has not fully and\n            consistently implemented the requirements and procedures\n            documented in the SOP for IFMIS-Merger in accordance\n            with FEMA and DHS guidance.\nFEMA-IT\xc2\xad    Weaknesses noted in FY 2009 over FEMA\xe2\x80\x99s information          \xef\xbf\xbd   Establish and implement documented procedures                  X        2\n  10-33     security vulnerability management program as it relates to       that define formal requirements, processes, and\n            NEMIS continue to exist in FY 2010. Specifically:                responsibilities    for   performing      periodic\n                                                                             vulnerability scans of NEMIS production servers.\n            \xef\xbf\xbd   FEMA does not have documented and approved\n                                                                             Additionally, ensure these procedures include\n                procedures that establish formal requirements,\n                                                                             requirements for reporting and tracking resolution\n                processes, and responsibilities for performing regular\n                                                                             of weaknesses identified during internal NEMIS\n                vulnerability scans of NEMIS.\n                                                                             vulnerability scans in accordance with DHS\n            \xef\xbf\xbd   The list of NEMIS servers currently scanned by the           POA&M guidance.\n                SOC is incomplete and does not represent the current\n                                                                         \xef\xbf\xbd   Revise listing of NEMIS servers scanned by the\n                NEMIS system boundary as defined by system owners\n                                                                             FEMA SOC to ensure that vulnerability scans\n                and IT security management. Additionally, NEMIS\n                                                                             performed include all NEMIS servers within the\n                system owners are not receiving listings of all\n                                                                             current operating environment. Additionally,\n                vulnerabilities noted on their system components to\n                                                                             develop and implement procedures to ensure that\n                ensure corrective action is tracked and remediated.\n                                                                             this listing is periodically re-evaluated and\n            \xef\xbf\xbd Corrective action over vulnerabilities identified\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                                Page 46 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                             Recommendation\n                                                                                                                                   Issue    Issue   Rating\n                through SOC internal scans of NEMIS production               updated as appropriate.\n                servers is not formally tracked via the POA&M\n                process, as required by DHS policy.                      \xef\xbf\xbd   Revise the SOC distribution listing of NEMIS\n                                                                             system owners and other appropriate IT security\n                                                                             management to further define personnel\n                                                                             responsible for remediating and formally tracking\n                                                                             all vulnerabilities identified over the various\n                                                                             NEMIS components. Additionally, develop and\n                                                                             implement procedures to ensure that this listing is\n                                                                             periodically re-evaluated and updated as\n                                                                             appropriate.\nFEMA-IT\xc2\xad    Weaknesses noted in FY 2009 over FEMA\xe2\x80\x99s information          Establish and implement documented procedures that                  X        3\n  10-34     security vulnerability management program as it relates to   define formal requirements, processes, and\n            G&T IFMIS and IFMIS-Merger continue to exist in FY           responsibilities for performing regular vulnerability\n            2010. Specifically:                                          scans of IFMIS-Merger. Additionally, procedures\n                                                                         should include requirements for reporting and\n            \xef\xbf\xbd   FEMA did not have documented and approved                tracking resolution of weaknesses identified during\n                procedures that establish formal requirements,           internal IFMIS-Merger vulnerability scans in\n                processes, and responsibilities for performing regular   accordance with DHS POA&M guidance.\n                vulnerability scans of G&T IFMIS and IFMIS-\n                Merger.\n            \xef\xbf\xbd   For one of the three months selected for testing,        No corrective action specific to the portion of this\n                vulnerability scans were not performed for the G&T       finding related to G&T IFMIS will be provided\n                IFMIS production server.                                 because of the decommissioning of that system in\n                                                                         June 2010.\n            \xef\xbf\xbd   For all three months selected for testing,\n                vulnerabilities reported by the FEMA SOC over the\n                G&T IFMIS and IFMIS-Merger production servers\n                were not formally tracked via the POA&M process, as\n                required by DHS policy.\nFEMA-IT\xc2\xad    In FY 2009, we identified weaknesses over FEMA\xe2\x80\x99s patch       Further document and fully implement comprehensive                  X        2\n  10-35     management program related to NEMIS. During the FY           system-specific patch management procedures to\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 47 \n \n\n\x0c                                                                                                                                                  Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                    New     Repeat    Risk\nNFR No.                            Condition                                               Recommendation\n                                                                                                                                    Issue    Issue   Rating\n            2010 audit engagement, we determined that while FEMA           ensure that NEMIS operating system and database\n            has finalized and formally implemented the FEMA OCIO           patches are tested and deployed in a timely manner, in\n            SOP for Vulnerability Patch Management, the SOP was            accordance with DHS and FEMA policy.\n            not approved until April 8, 2010. Consequently, FEMA           Additionally, these policies and procedures should\n            did not have a formal patch management procedure               include formal designation of responsibilities for\n            applicable to the NEMIS environment for a majority of the      oversight and implementation of required patch\n            fiscal year. Additionally, we determined that FEMA has         management activities for all NEMIS components to\n            not fully and consistently implemented the requirements        ensure compliance at the system level.\n            and procedures documented in the SOP for all NEMIS\n            components in accordance with FEMA and DHS\n            guidance.\nFEMA-IT\xc2\xad    Weaknesses identified in FY 2009 related to the testing of     \xef\xbf\xbd   Develop and implement backup policies and                      X        3\n  10-36     NEMIS production database backup tapes continue to                 procedures to ensure that all NEMIS components\n            exist in FY 2010. Specifically:                                    are backed up and backup media is stored\n                                                                               in/rotated to an off-site facility according to\n            \xef\xbf\xbd   During two quarters of FY 2010, FEMA conducted\n                                                                               FEMA and DHS requirements.\n                restoration tests of backup tapes for one specific\n                NEMIS database while FEMA\xe2\x80\x99s SOP for Tape\n                Backup Testing documents requirements for the              \xef\xbf\xbd   Revise or develop policies and procedures to\n                testing of 39 databases. Consequently, we determined           periodically test and document testing of the\n                that FEMA did not regularly test backup tapes                  NEMIS backups in compliance with FEMA and\n                containing all NEMIS production database data during           DHS requirements. In addition, ensure that\n                the fiscal year.                                               policies and procedures are implemented to\n                                                                               perform periodic restoration testing of all NEMIS\n            \xef\xbf\xbd   Additionally, while we noted that the SOP for Tape             production databases in accordance with\n                Backup Testing assigns responsibility for testing              established requirements.\n                backup tapes in accordance with a defined schedule to\n                NEMIS IT security management, administrators, and\n                system owners, the SOP was not updated to reflect the\n                required schedule for performing tape restoration tests.\n            Furthermore, we noted the following new weaknesses\n            related to controls over the performance of NEMIS\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 48 \n \n\n\x0c                                                                                                                                                   Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                     New     Repeat    Risk\nNFR No.                            Condition                                               Recommendation\n                                                                                                                                     Issue    Issue   Rating\n            database backups:\n            \xef\xbf\xbd   FEMA has not formally defined and documented\n                procedures that outline processes for performing\n                backups of NEMIS production databases and for\n                rotating and physically securing backup tapes off-site.\n            \xef\xbf\xbd   FEMA was unable to provide requested\n                documentation to evidence that any of the 39 NEMIS\n                production databases identified in the SOP for Tape\n                Backup Testing are currently being backed up.\nFEMA-IT\xc2\xad    During our social engineering testing, several personnel      Review the effectiveness of existing security               X                 3\n  10-37     provided us with user IDs and/or passwords.                   awareness programs designed to protect \xe2\x80\x9cneed-to\xc2\xad\n                                                                          know\xe2\x80\x9d information, including IT system access\n            It should be noted that several personnel that we contacted   credentials, and ensure that individuals are adequately\n            by phone during our social engineering phone calls            instructed and reminded of their roles in the protection\n            challenged our requests for user access credentials by        of sensitive system information from unauthorized\n            looking up our assumed names in the FEMA directory to         individuals through formal, periodic communications\n            determine if we were FEMA personnel, requesting               and/or security awareness training.\n            employee IDs, asking for help desk ticket numbers\n            associated with our calls, and reporting our attempts to\n            supervisors.\n\n            While individuals contacted represented several offices in\n            multiple FEMA regions as well as Headquarters, our\n            selection of individuals was not statistically derived.\n            Therefore, we are unable to project these results to FEMA\n            as a whole.\nFEMA-IT\xc2\xad    During our after-hours physical security testing conducted    Review the effectiveness of existing security                        X        2\n  10-38     on July 20, 2010, we noted instances of improperly            awareness programs designed to protect electronic\n            protected authentication credentials, system information,     and physical data, PII, and For Official Use Only\n            information technology assets, and Personally Identifiable    (FOUO) agency information and ensure that\n                                                                          individuals are adequately instructed and reminded of\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 49 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                            Department of Homeland Security\n \n\n                                                        Federal Emergency Management Agency \n\n                                                        Information Technology Management Letter \n\n                                                                   September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                              Condition                                            Recommendation\n                                                                                                                                   Issue    Issue   Rating\n            Information (PII) in the facilities inspected.                their roles in the protection of both electronic and\n                                                                          physical FEMA data and hardware through formal,\n            Some of the instances of improperly secured PII noted\n                                                                          periodic communications and/or security awareness\n            consisted of large stacks of documents or compiled\n                                                                          training.\n            spreadsheets that contained PII for numerous individuals\n            conducting business for or with FEMA. Exceptions\n            categorized as \xe2\x80\x9cOther\xe2\x80\x99 consisted of laptops and other IT\n            assets not physically secured/locked to workspaces,\n            unsecured bank account and government travel card\n            information, and the lack of adequate locking mechanisms\n            on a server room door.\n            Our selection of areas at each facility that were inspected\n            was not statistically derived, and therefore, we are unable\n            to project results to FEMA as a whole.\nFEMA-IT\xc2\xad    As noted during the FY 2009 audit engagement,                 Document and implement policies and procedures to                  X        3\n  10-39     weaknesses continue to exist over the segregation of duties   limit IFMIS-Merger developer access to the\n            controls for the migration of IFMIS-Merger changes into       production environment to \xe2\x80\x9cread only\xe2\x80\x9d and segregate\n            production. Specifically:                                     the responsibility for deploying application code\n                                                                          changes into production from the development\n            \xef\xbf\xbd   The FEMA development contractor continues to              contractor to an independent control group. If\n                deploy changes into the UNIX production                   business needs require that the segregation of duties\n                environment through the use of the shared \xe2\x80\x9cifmiscm\xe2\x80\x9d       cannot be immediately implemented, document and\n                account. We noted that FEMA change management             implement policies and procedures to mitigate the risk\n                personnel are following SOPs that outline the controls    associated with the segregation of duties weakness\n                intended to mitigate the risk associated with the         noted in accordance with DHS guidance, including a\n                IFMIS-Merger developers having the ability to             formalized process for performing and documenting\n                migrate changes to the IFMIS-Merger production            reviews of activity performed by developers within\n                environment. In particular, the Office of the Chief       the IFMIS-Merger environment.\n                Financial Officer (OCFO) IFMIS System Change\n                Request (SCR) SOP requires the locking and\n                unlocking of the \xe2\x80\x9cifmiscm\xe2\x80\x9d account by system\n                administrators during the implementation of software\n                changes into production. However, we determined\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 50 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                               Recommendation\n                                                                                                                                   Issue    Issue   Rating\n                that while the SCR SOP states that system\n                administrators will periodically monitor production\n                directories to detect updates, no formal procedures or\n                processes are included in the SOP or documented\n                elsewhere for detailing how to monitor the directories\n                or the requirements for performing the reviews to\n                verify that only authorized changes to the \xe2\x80\x9cifmiscm\xe2\x80\x9d\n                directory and sub-directories are implemented into\n                production by the developers.\n            \xef\xbf\xbd   We determined that although informal reviews of the\n                directories were performed during the fiscal year, they\n                were not routinely relied upon by FEMA management\n                as they did not provide the level of detail required for\n                adequate monitoring, and FEMA personnel were not\n                able to distinguish the types of changes made to the\n                system from the \xe2\x80\x9cifmiscm\xe2\x80\x9d account.\nFEMA-IT\xc2\xad    As noted during the FY 2009 audit engagement,                  There is no recommended corrective action specific to             X        3\n  10-40     weaknesses continued to exist over the segregation of          this finding because of the decommissioning of G&T\n            duties controls for the migration of G&T IFMIS changes         IFMIS in June 2010.\n            into production during FY 2010.\n\n            Specifically, the \xe2\x80\x9cifmiscm\xe2\x80\x9d account was used by the\n            FEMA development contractor to deploy changes into the\n            UNIX production environment. Per our review, we noted\n            that the G&T IFMIS application programmers responsible\n            for maintaining and developing changes for the G&T\n            IFMIS application were also responsible for migrating\n            application code changes into the production environment\n            using the \xe2\x80\x9cifmiscm\xe2\x80\x9d account. We were informed by\n            FEMA personnel that the controls over this account did\n            not change from FY 2009 and that the account remained\n            unlocked while G&T IFMIS was operational between\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 51 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                              Recommendation\n                                                                                                                                   Issue    Issue   Rating\n            October 2009 and June 2010 when the system was\n            decommissioned. We were further informed by FEMA\n            personnel that access to the \xe2\x80\x9cifmiscm\xe2\x80\x9d account was not\n            limited or monitored on a periodic basis, allowing the\n            development contractor unrestricted access to the\n            production environment.\n\n            Additionally, we noted that FEMA has documented\n            policies and procedures that require the IFMIS-Merger\n            \xe2\x80\x9cifmiscm\xe2\x80\x9d account to be locked and use of the account to\n            be monitored. However, we noted that no established\n            procedures or controls were in place for G&T IFMIS to\n            mitigate the risk associated with this account.\n\n            Consequently, we determined that while the G&T IFMIS\n            application server was decommissioned in June 2010, the\n            weaknesses over segregation of duties controls in the\n            G&T IFMIS configuration management process continued\n            to exist for the majority of FY 2010, and prior year NFR\n            FEMA-IT-09-59 is reissued.\nFEMA-IT\xc2\xad    Password, patch management, and configuration                Implement the specific corrective actions listed in the             X        3\n  10-41     management weaknesses were identified during                 NFR for each technical control weakness identified.\n            vulnerability assessment technical testing.\n            Note: Due to the nature of this finding, see the tables in\n            associated NFR for the specific details of the conditions.\nFEMA-IT\xc2\xad    During the FY 2010 audit engagement, we noted the            \xef\xbf\xbd   Update and complete all required C&A artifacts         X                 3\n  10-42     following weaknesses over the completeness and accuracy          for IFMIS-Merger in accordance with DHS\n            of certain C&A artifacts that support the Authorizing            policy and NIST guidance.\n            Official\xe2\x80\x99s decision to grant an ATO for the IFMIS \xe2\x80\x93\n            Merger:                                                      \xef\xbf\xbd   Ensure that C&A artifacts, including the risk\n                                                                             assessment or the results of the required risk\n            \xef\xbf\xbd   A risk assessment for IFMIS-Merger had not been              assessment activities, the ST&E, and the Security\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 52 \n \n\n\x0c                                                                                                                                           Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                             New     Repeat    Risk\nNFR No.                           Condition                                            Recommendation\n                                                                                                                             Issue    Issue   Rating\n                completed or documented prior to granting an ATO, in       Assessment Report (SAR) are conducted and\n                accordance with DHS and NIST requirements.                 documented in accordance with established DHS\n                Additionally, FEMA does not plan to conduct and            baseline controls according to the security\n                document a risk assessment or the results of the           categorization of the system.\n                required risk assessment activities for IFMIS-Merger\n                as FEMA management has indicated that it is not\n                required for FY 2010.\n            \xef\xbf\xbd   The ATO was signed in June 2010, more than three\n                months after the IFMIS-Merger system was\n                operational in late February 2010.\n            \xef\xbf\xbd   Per our review of the security assessment report, the\n                assessment performed over IFMIS-Merger prior to\n                granting ATO did not include evaluation of any of the\n                controls identified within the SSP. The assessment\n                was limited to vulnerability and compliance scans.\n            \xef\xbf\xbd   The ST&E was not properly conducted because the\n                baseline controls in the Requirements Traceability\n                Matrix were not consistent with DHS requirements.\nFEMA-IT\xc2\xad    During the FY 2010 audit engagement, we noted that the      Update and complete all required C&A artifacts for    X                 3\n  10-43     most recent ATO for NEMIS was signed on October 29,         NEMIS in accordance with DHS policy and NIST\n            2009.     However, we identified weaknesses in the          guidance.\n            completeness and accuracy of certain C&A artifacts that\n            support the Authorizing Official\xe2\x80\x99s decision to grant the\n            ATO for NEMIS. Specifically, the NEMIS Risk\n            Assessment, ST&E, and SAR were completed in 2006,\n            and thus outdated as DHS policy requires C&A artifacts\n            supporting ATOs to be updated within the 13 months prior\n            to granting the most recent ATO, and NIST requires each\n            to be conducted every 3 years.\nFEMA-IT-    Conditions noted in FY 2009 related to weaknesses over      Document and implement appropriate technical and               X        3\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n\n                                                              Page 53 \n\n\x0c                                                                                                                                                   Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                     New     Repeat    Risk\nNFR No.                            Condition                                                Recommendation\n                                                                                                                                     Issue    Issue   Rating\n 10-44      controls in place to monitor and restrict access to highly-    management controls to restrict and monitor access to\n            privileged system accounts within the UNIX environment         privileged system administrator accounts on the\n            that supports IFMIS-Merger and G&T IFMIS continue to           IFMIS-Merger operating system, including use of the\n            exist in FY 2010. Specifically:                                \xe2\x80\x9croot\xe2\x80\x9d account, in accordance with DHS and FEMA\n                                                                           policy. Additionally, policies and procedures should\n            \xef\xbf\xbd   Access to the \xe2\x80\x9croot\xe2\x80\x9d account is not properly restricted    include requirements to ensure that system logs and\n                and system administrator activities are not                records of administrator activity, including the \xe2\x80\x9croot\xe2\x80\x9d\n                appropriately logged. Specifically, the password to        account, are retained and reviewed by IT security\n                access the UNIX \xe2\x80\x9croot\xe2\x80\x9d administrator account is            management independent of the system administration\n                shared between the administrators, and remote access       team, especially where individual traceability for the\n                to the root account is not locked down.                    account is not possible.\n            \xef\xbf\xbd   System administrator actions are not monitored and\n                attributable to individual administrators. Specifically,   There is no recommended corrective action specific to\n                FEMA has not enforced the use of the \xe2\x80\x9csudo\xe2\x80\x9d                the portion of this finding related to G&T IFMIS\n                command, which requires system administrators to           because of the decommissioning of G&T IFMIS in\n                login with their individual user ID and then switch        June 2010.\n                over to the root account to ensure who is accessing the\n                account is logged and authorized.\n            \xef\xbf\xbd   System logs and reports of administrator activity,\n                including the \xe2\x80\x9csudo\xe2\x80\x9d log which monitors actions\n                performed by administrators while acting as the \xe2\x80\x9croot\xe2\x80\x9d\n                account, were not reviewed by FEMA management\n                personnel independent of the system administration\n                staff.\nFEMA-IT\xc2\xad    In FY 2009, we noted weaknesses over suitability               \xef\xbf\xbd   Further define and refine documented processes                  X        2\n  10-45     determinations for federal employees and contractors with          to ensure that background investigations for all\n            sensitive IT system access that continued to exist in FY           Federal employees are performed and procedures\n            2010. Specifically, of 15 federal employee positions               are implemented in accordance with DHS\n            selected for testing:                                              directives.\n            \xef\xbf\xbd   Three did not have evidence of a completed                 \xef\xbf\xbd   Reevaluate and assign the correct position\n                background investigation on file that met minimum              sensitivity levels to all Federal employees with\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 54 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                    New     Repeat    Risk\nNFR No.                           Condition                                               Recommendation\n                                                                                                                                    Issue    Issue   Rating\n               investigative requirements specified by DHS policy.            access to DHS information systems in\n                                                                              accordance with DHS policy. Additionally\n           \xef\xbf\xbd   For one employee, FEMA was unable to provide any               document and/or revise, and fully implement\n               documentation to evidence that the employee\xe2\x80\x99s                  procedures to ensure that program managers are\n               background investigation was performed and                     aware of requirements and appropriate position\n               maintained      within     the    Integrated    Security       sensitivity levels are designated for all sensitive\n               Management System (ISMS), FEMA\xe2\x80\x99s personnel                     IT positions in the future.\n               suitability and investigation recordkeeping utility.\n                                                                          \xef\xbf\xbd   Document and fully implement procedures\n           \xef\xbf\xbd   Nine that are defined as \xe2\x80\x9chigh risk\xe2\x80\x9d according to              within FEMA Acquisitions, FEMA Personnel\n               FEMA policy did not have an appropriate position               Security, and FEMA IT to ensure a more\n               sensitivity designation that reflected the risk level          centralized and coordinated process for tracking\n               required by DHS policy.                                        and completing background investigations over\n           During our FY 2010 test work over contractors, we                  contractor personnel in accordance with DHS\n           determined that no formal procedures have been                     policy.\n           developed or implemented by FEMA to address DHS\n                                                                          \xef\xbf\xbd   Ensure that all system owners document and\n           requirements surrounding the suitability screening of\n                                                                              correctly define the appropriate sensitivity\n           contractors accessing DHS IT systems. Additionally, we\n                                                                              designations for contractor personnel needing\n           selected a population of 15 contractors with access to\n                                                                              access to their information systems in accordance\n           multiple FEMA information systems who hold sensitive\n                                                                              with DHS policy. Additionally, ensure that\n           IT security positions at FEMA such as system\n                                                                              position sensitivity designations are assigned\n           administrators, database administrators, and systems\n                                                                              based on the type of privileges needed, and\n           development contractors and determined that FEMA has\n                                                                              require contractors to have their suitability\n           not appropriately conducted suitability investigations.\n                                                                              investigations completed prior to being granted\n           Specifically:\n                                                                              access to the system in accordance with FEMA\n               \xef\xbf\xbd   For two, FEMA was unable to provide any                    and DHS policy.\n                   documentation to evidence that the contractor\xe2\x80\x99s\n                   record was maintained within ISMS, including\n                   the status of any background investigations\n                   performed.\n               \xef\xbf\xbd   Six did not have evidence of a completed\n                   background investigation on file that meets\n          Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                             Page 55 \n \n\n\x0c                                                                                                                                                   Appendix B\n                                                             Department of Homeland Security\n \n\n                                                         Federal Emergency Management Agency \n\n                                                         Information Technology Management Letter \n\n                                                                    September 30, 2010\n\n                                                                                                                                     New     Repeat      Risk\n    NFR No.                            Condition                                              Recommendation\n                                                                                                                                     Issue    Issue     Rating\n                        minimum investigative requirements specified by\n                        DHS policy. Of the six, two had records\n                        maintained within ISMS; however, FEMA was\n                        unable to provide evidence that background\n                        investigations for each were performed.\n                    \xef\xbf\xbd   None had position sensitivity designations\n                        defined by FEMA for the sensitive IT position\n                        they held at the time of our test work, as required\n                        by DHS policy.\n    FEMA-IT\xc2\xad    During the FY 2010 audit engagement, we noted                 \xef\xbf\xbd   Document and implement a formalized process                  X           3\n      10-46     weaknesses in controls over the configuration management          and procedures for deploying NEMIS changes to\n                of application, web, and database servers within the              ensure the movement of production code for the\n                NEMIS production environment. Specifically:                       NEMIS production environment is appropriately\n                                                                                  controlled.       Procedures should include\n                \xef\xbf\xbd   Access to the multiple application, web, and database         requirements for restricting and, monitoring\n                    servers that comprise the NEMIS production                    access and documenting reviews to the NEMIS\n                    environment for deploying approved code changes is            production environment to ensure that the\n                    limited to IT Enterprise Operations staff. However,           principles of least privilege and segregation of\n                    no formalized change management procedures exist              duties are enforced, in accordance with DHS\n                    for deploying changes to ensure the movement of               guidance.\n                    production code for the NEMIS production\n                    environment is appropriately controlled.                  \xef\xbf\xbd   Ensure that adequate technical controls are\n                                                                                  implemented to enforce least privilege and\n                                                                                  segregation of duties requirements for the\n                \xef\xbf\xbd   Access to a shared service account is used for the\n                                                                                  implementation of system changes. If individual\n                    deployment of Linux 5 changes. However, FEMA was\n                                                                                  accounts are not possible for deploying changes,\n                    unable to provide any system documentation or\n                                                                                  implement logical access controls, including\n                    associated artifacts demonstrating that FEMA was\n                                                                                  configuration of system audit logs, on NEMIS\n                    appropriately restricting and controlling access to the\n                                                                                  production servers to establish individual\n\n5\n Linux is one of the operating system platforms that the NEMIS application resides on and houses the production source code directories for a portion of the NEMIS\nmodules.\n               Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                                  Page 56 \n \n\n\x0c                                                                                                                                                   Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                     New     Repeat    Risk\nNFR No.                             Condition                                              Recommendation\n                                                                                                                                     Issue    Issue   Rating\n                NEMIS production application, web, and database                accountability for all FEMA personnel with\n                servers.                                                       access to the environment through the shared\n                                                                               service account, in accordance with DHS and\n                                                                               FEMA policy. Additionally, for these shared\n                                                                               service accounts, document, implement, and\n                                                                               approve standard operating procedures for the\n                                                                               implementation and formal review of NEMIS\n                                                                               system changes on production servers.\nFEMA-IT\xc2\xad                                                                   \xef\xbf\xbd   Define and implement formal and repeatable                      X        2\n  10-47     In FY 2009, we noted that FEMA\xe2\x80\x99s OCFO and NFIP\n            financial systems development and acquisition projects             entity level control processes to ensure that\n            were undertaken and progressed without (1) proper                  financial systems development and acquisition\n            oversight of and direction to contractors, (2) development         projects are conducted in compliance with DHS\n            and approval of required project documentation, (3) the            SELC and acquisition requirements as well as\n            continual involvement of the OCIO to ensure appropriate            Federal guidance. The processes should define\n            consideration and integration of IT security, and (4) the          steps to include, but are not limited to, formal\n            joint communication and decision-making of FEMA                    approval of required project documentation,\n            OCFO, OCIO and NFIP management. As a result, we                    sufficient contractor oversight, definitions of\n            recommended that FEMA management define and                        project roles and responsibilities so that decision\n            implement formal and repeatable processes to ensure that           making includes the appropriate involvement of\n            financial systems development and acquisition projects are         all stakeholders and relevant FEMA management,\n            conducted in compliance with DHS SELC and acquisition              establishment of Acquisition Decision Events\n            requirements as well as Federal guidance.                          (ADEs) at each SELC phase, and integration of\n                                                                               IT security considerations throughout all project\n                                                                               phases.\n            During the FY 2010 audit engagement, we determined that        \xef\xbf\xbd   Identify and formally assign stakeholders\n            FEMA management has not implemented corrective                     associated with the remediation efforts over\n            actions or developed a corrective action plan to address the       aligning the DHS SELC methodology with\n            prior year weaknesses noted. Specifically, entity-level            FEMA\xe2\x80\x99s acquisition development process to\n            corrective actions to integrate and develop sufficient and         ensure appropriate participation from all required\n            effective methods of communication to ensure that                  organizations within FEMA in both the\n            significant financial-related system development and               development of policies and procedures and\n            acquisition projects involve all relevant stakeholders,            integration of the financial systems acquisitions\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 57 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                           Condition                                              Recommendation\n                                                                                                                                   Issue    Issue   Rating\n            including the OCFO, have not been established.                  life cycle stages as required by DHS policy.\n            Additionally, FEMA management has not taken action to\n            enhance and further develop current acquisition\n            management processes to ensure that organization-specific\n            requirements exist and are implemented so that each\n            project meets organizational mission needs and functional\n            and technical requirements as required by DHS and NIST\n            guidance.\nFEMA-IT\xc2\xad    FEMA IT security management responsibilities were not       \xef\xbf\xbd   Establish and document a formalized process to          X                 3\n  10-48     consistently or adequately assigned and performed over          provide IT security management oversight to\n            the FEMA POA&M process for FY 2009 IT audit                     ensure that adequate periodic review and\n            findings, in accordance with DHS guidance. Specifically:        assessment of security controls are performed and\n                                                                            corrective actions are appropriately assigned and\n            \xef\xbf\xbd   POA&Ms created by FEMA management in response\n                                                                            implemented over identified security weaknesses\n                to FY 2009 IT financial statement audit findings were\n                                                                            through the POA&M process.\n                not consistently categorized with the appropriate\n                criticality level in accordance with DHS policy.        \xef\xbf\xbd   Dedicate resources to fully implement DHS\n                Specifically, for 52 POA&Ms provided by FEMA on             requirements over the POA&Ms for audit\n                May 3, 2010, criticality was either undefined or            findings of FEMA financial systems, including\n                erroneously defined as \xe2\x80\x9cAnnual Assessment Finding\xe2\x80\x9d          the proper categorization of audit findings,\n                rather than \xe2\x80\x9cInitial Audit Finding\xe2\x80\x9d or \xe2\x80\x9cRepeat Audit        documentation of all stakeholders with\n                Finding,\xe2\x80\x9d as required.                                      remediation responsibilities, and monitoring of\n                                                                            POA&M activities to validate that corrective\n            \xef\xbf\xbd   FEMA management did not consistently document\n                                                                            actions are appropriately documented with\n                detailed corrective action plans or appropriate\n                                                                            associated milestones and evidence of\n                milestones, including required tests of design and\n                                                                            remediation is developed and retained.\n                effective implementation for financial system\n                POA&Ms.                                                 \xef\xbf\xbd   Develop and implement a training program for\n                                                                            personnel with IT security responsibilities, such\n            \xef\xbf\xbd   FEMA management did not consistently assign\n                                                                            as system owners and ISSOs, to ensure that they\n                POA&M stakeholder ownership for corrective action\n                                                                            fully understand their roles and responsibilities to\n                plans or related milestones.\n                                                                            correctly categorize the findings, formally define\n                                                                            milestones, and validate the documentation and\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 58 \n \n\n\x0c                                                                                                                                                  Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                    New     Repeat    Risk\nNFR No.                            Condition                                              Recommendation\n                                                                                                                                    Issue    Issue   Rating\n                                                                              testing of the corrective action implemented.\n                                                                          \xef\xbf\xbd   Develop and implement review procedures to\n                                                                              ensure developed POA&Ms are detailed enough\n                                                                              to demonstrate that the root cause of the issue has\n                                                                              been assessed and the milestones address the\n                                                                              necessary steps to fully remediate the weaknesses\n                                                                              as required by DHS policy.\nFEMA-IT\xc2\xad    During the FY 2010 follow-up testwork, we determined          \xef\xbf\xbd   Dedicate resources to assess the usage of IFMIS-                X        2\n  10-49     that weaknesses noted in FY 2009 continue to exist.               Merger system security functions against DHS\n            Specifically, we determined that no additional policies and       policy requirements and determine gaps that exist\n            procedures to establish a process for implementing change         within existing system documentation over the\n            controls for the maintenance of system security functions         security functions.\n            have been developed by FEMA or the IT developer of\n            IFMIS-Merger. FEMA has not adequately ensured that            \xef\xbf\xbd   Develop and implement policies and procedures\n            appropriate privileges granted to users are created,              documenting the process of adding, deleting, and\n            documented, and approved.                                         modifying IFMIS-Merger system security\n                                                                              functions to ensure that proper controls are in\n            We were informed by FEMA personnel that the system                place for approving, testing and documenting\n            security functions are created and modified to provide            these functions prior to implementation, in\n            additional functionality under specific menus in the              accordance with DHS policy. These policies and\n            IFMIS-Merger application. As a result, these changes to           procedures should include requirements over\n            the menu provide additional functionality to the users with       independent monitoring of the creation,\n            access to those menus. However, current documentation             modification and deletion of system security\n            over IFMIS-Merger, including access authorization forms,          functions, and requirements for updating system\n            change management plans and SSPs, do not define how to            documentation to reflect the impact of the\n            manage and document changes to these functions to ensure          changes to user account privileges.\n            that approved changes are made and appropriate and\n                                                                          \xef\xbf\xbd   Develop and implement procedures to ensure that\n            traceable access is granted to IFMIS-Merger users.\n                                                                              functions   updated   through    the   change\n                                                                              management process are formally approved and\n            While FEMA has received the IFMIS Security Functions\n                                                                              documented and that appropriate system\n            Reference Guide dated 2007 from the software vendor, we\n                                                                              documentation for IFMIS-Merger system security\n            determined that the documentation is a technical reference\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 59 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                  New     Repeat    Risk\nNFR No.                             Condition                                              Recommendation\n                                                                                                                                  Issue    Issue   Rating\n            manual that defines the capabilities of the system, usage of       functions is updated and retained, in accordance\n            the various system security functions, menu options and            with DHS policy.\n            related permissions for each function. However, the guide\n            does not address the management of these system security\n            functions from a change control and access control\n            perspective for FEMA. Additionally, the guide does not\n            include requirements for updating system documentation\n            and tracking these system security function changes to\n            privileges in the system.\n\n            Consequently, based on our testwork, we concluded that a\n            formalized process for modifying specific IFMIS-Merger\n            system security functions to ensure that appropriate\n            privileges are created, documented, approved, and\n            monitored does not exist.\nFEMA-IT\xc2\xad    During the FY 2010 audit engagement, we determined that        \xef\xbf\xbd   Implement and require two-factor authentication              X        3\n  10-50     the following conditions related authorization of external         for all remote access to the FEMA network, as\n            connections to the FEMA VPN continue to exist:                     required by DHS policy and Federal Information\n                                                                               Processing Standards (FIPS) 140-2.\n            \xef\xbf\xbd   Two-factor authentication is not used for VPN access,\n                as required by DHS policy.                                 \xef\xbf\xbd   Revise and implement policies and procedures for\n                                                                               documenting, reviewing, and approving the\n            \xef\xbf\xbd   The existing documentation that defines the process\n                                                                               security controls in place over non-DHS\n                for granting and maintaining VPN access to the\n                                                                               equipment connecting to the FEMA network via\n                FEMA network does not include requirements for\n                                                                               VPN access. Specifically, clearly define and\n                administering the site survey process, including\n                                                                               document a formalized process for the\n                requirements for the authorization of the sites surveys,\n                                                                               authorization, review, and maintenance of VPN\n                recertification of site surveys, and the security\n                                                                               access agreements between FEMA and external\n                requirements associated with the various aspects of the\n                                                                               entities. Additionally, ensure that within the\n                process.\n                                                                               policies and procedures, appropriate roles and\n            \xef\xbf\xbd   FEMA has not formally identified and documented the            responsibilities over the process are defined to\n                roles and responsibilities necessary within FEMA to            include authorizations by the CISO/Information\n                properly authorize and administer VPN access to                System Security Manager (ISSM) to connect to\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 60 \n \n\n\x0c                                                                                                                                              Appendix B\n                                                       Department of Homeland Security\n \n\n                                                   Federal Emergency Management Agency \n\n                                                   Information Technology Management Letter \n\n                                                              September 30, 2010\n\n                                                                                                                                 New     Repeat    Risk\nNFR No.                           Condition                                             Recommendation\n                                                                                                                                 Issue    Issue   Rating\n               individuals using non-DHS equipment to access the            non-DHS equipment.\n               FEMA network.\n                                                                        \xef\xbf\xbd   Ensure that agreements related to VPN access are\n           \xef\xbf\xbd   Access for state emergency management agencies and           reviewed and recertified when a major system\n               FEMA contractors to load the VPN client onto state or        change occurs or every three years, in accordance\n               contractor owned equipment to connect to the FEMA            with DHS policy.\n               LAN is approved by the SOC. However, DHS policy\n               requires that any non-DHS equipment connecting to a      \xef\xbf\xbd   Formally identify and document appropriate roles\n               DHS network must be authorized by the Component              and responsibilities related to management of\n               CISO/ISSM.                                                   remote access to the FEMA network, including\n                                                                            iPass and VPN.\n           \xef\xbf\xbd   FEMA\xe2\x80\x99s VPN Rules of Behavior for Users Behind\n               Corporate Firewalls, dated December 5, 2002,             \xef\xbf\xbd   Document and implement policies and\n               requires an Inter-Agency VPN Agreement between               procedures to ensure that formalized ISAs,\n               FEMA and external organizations before permitting            MOUs, or MOAs, delineating security\n               VPN access to the FEMA network through non-                  responsibilities by FEMA and external\n               Government issued equipment such as contractor or            organizations when connecting through non-DHS\n               state agency workstations. However, we determined            equipment to the FEMA network via VPN access\n               that Inter-Agency VPN Agreements have not been               are used. Such agreements should include\n               documented and that this requirement is inconsistent         evidence of validation by FEMA management\n               with DHS policy, which requires Interconnection              that security controls in place on external entity\n               Security Agreements (ISAs) or Memoranda of                   networks are appropriate and satisfy requirements\n               Understanding/Memoranda         of       Agreement           for minimum security controls on DHS and\n               (MOUs/MOAs) prior to establishing a VPN                      FEMA systems prior to connection in accordance\n               connection from equipment operating on an external           with DHS policy.\n               network.\n           \xef\xbf\xbd   FEMA\xe2\x80\x99s approval of requests for network connections\n               to external organizations through VPN access for\n               remote users is based on security control information\n               submitted by the external entities via site surveys.\n               Based upon our review of existing site surveys and the\n               site survey process, we noted that:\n               \xef\xbf\xbd The site surveys do not contain the level of\n          Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 61 \n \n\n\x0c                                                                                                                                               Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                 New     Repeat    Risk\nNFR No.                           Condition                                              Recommendation\n                                                                                                                                 Issue    Issue   Rating\n                    technical granularity describing the external\n                    network     security   controls   required   to\n                    appropriately approve a connection to the FEMA\n                    LAN, and the FEMA SOC does not independently\n                    verify the accuracy of information in the site\n                    surveys submitted by external entities prior to\n                    approving the connection and subsequently\n                    granting VPN access to users.\n                \xef\xbf\xbd   DHS guidance indicates that a single ISA may be\n                    used for multiple connections provided that the\n                    security accreditation is the same for all\n                    connections covered by that ISA. However, we\n                    determined that the security accreditation of the\n                    connecting networks is not being evaluated by the\n                    FEMA SOC during the review of site surveys to\n                    ensure the security requirements are appropriately\n                    implemented.\n            In FY 2009, we identified weaknesses over configuration      \xef\xbf\xbd   Document and implement formalized policies and                X        3\n            management controls related to NEMIS program libraries           procedures for restricting and monitoring access\n            and directories within the Test and Development                  to the NEMIS TDL directories to ensure that the\n            Laboratory (TDL) environment. During the FY 2010                 principles of least privilege and segregation of\n            audit, we determined that the following weaknesses               duties are enforced, in accordance with DHS\n            continue to exist:                                               guidance.       The process should include\nFEMA-IT\xc2\xad                                                                     requirements over periodic monitoring and\n            \xef\xbf\xbd   Controls to segregate access within the TDL\n  10-51                                                                      documented reviews of NEMIS TDL directories\n                environment    have    not    been    appropriately\n                                                                             to verify that no changes have occurred after the\n                implemented. Specifically, IT Systems Integration\n                                                                             approval of NEMIS system changes.\n                personnel do not grant separate privileges to\n                development code, which is moved to TDL by the           \xef\xbf\xbd   Implement technical controls within the NEMIS\n                systems developer, and pre-production code, which            TDL environment to limit developers\xe2\x80\x99 access to\n                has completed User Acceptance Testing (UAT) and is           pre-production directories containing \xe2\x80\x9clocked\xe2\x80\x9d\n                pending deployment to the NEMIS production                   application code changes to \xe2\x80\x9cread only\xe2\x80\x9d. If\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 62 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                  New     Repeat    Risk\nNFR No.                            Condition                                             Recommendation\n                                                                                                                                  Issue    Issue   Rating\n                environment. As a result, developers have read, write        business needs require that the segregation of\n                and execute privileges to all code in the TDL                duties cannot be immediately implemented,\n                environment.                                                 FEMA should document and implement policies\n                                                                             and procedures to compensate for the risk\n            \xef\xbf\xbd   Code approved for implementation is not locked down          associated with the segregation of duties\n                within the TDL environment prior to deployment to            weakness noted, in accordance with DHS\n                production. Additionally, while an ad-hoc review is          guidance.\n                performed over the directories to monitor the\n                modification dates on the production code directories,\n                this process is not performed consistently or\n                documented to mitigate the risk associated with not\n                restricting access to the approved code.\n            Conditions noted in FY 2009 related to weaknesses over       \xef\xbf\xbd   Document and implement formal policies and                     X        2\n            vulnerability assessments for the Windows server                 procedures that outline the processes and\n            environment within the NFIP LAN supporting the                   requirements for performing internal vulnerability\n            Traverse application continue to exist in FY 2010.               scans over all NFIP information systems as well\n            Specifically:                                                    as the process for assessing, reporting, and\n                                                                             correcting weaknesses identified during scans as\n            \xef\xbf\xbd   While procedures have been developed, the NFIP\n                contractor has not fully implemented the process for         required by FEMA and DHS policy.\n                conducting internal vulnerability scans for              \xef\xbf\xbd   Ensure that policies and procedures formally\n                information systems and for assessing, reporting, and        designate responsibilities of FEMA OCIO and\nFEMA-IT\xc2\xad        correcting identified weaknesses through the POA&M           NFIP IT security management for the\n  10-52         Process in accordance with FEMA and DHS                      implementation, monitoring, and oversight of the\n                guidance.                                                    vulnerability scanning process, so that the scope\n            \xef\xbf\xbd   FEMA does not have documented and approved                   of vulnerability scans conducted include all NFIP\n                procedures that establish formal requirements,               workstations     and     servers   and    include\n                processes, and responsibilities for conducting               requirements for formally tracking and\n                monitoring and oversight of regular vulnerability            monitoring the remediation of vulnerabilities\n                scans performed over the NFIP LAN which supports             identified during the internal scans of the NFIP\n                Traverse to meet DHS vulnerability assessment                LAN through the POA&M process, in accordance\n                requirements.                                                with DHS policy.\n\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 63 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                              Recommendation\n                                                                                                                                   Issue    Issue   Rating\n            \xef\xbf\xbd   Furthermore, while ad hoc scans were performed in\n                previous years by the contractor, evidence of periodic\n                NFIP network scanning conducted in FY 2010 could\n                not be obtained. Additionally, we inquired with\n                FEMA and determined that scans over the NFIP LAN\n                supporting the Traverse application were not\n                performed by the FEMA SOC.\n            During our FY 2010 audit test work, we noted that NFIP       \xef\xbf\xbd   Complete the revision, documentation, and full                  X        2\n            has not established or implemented an effective process to       implementation of TRRP access control policies\n            periodically recertify user access, including service            and procedures, and ensure that they include a\n            accounts, on the TRRP mainframe. Currently, NFIP                 formalized process for the recertification of all\n            requires users to sign security awareness and training           accounts on the mainframe, including service\n            certifications on an annual basis. However, no review of         accounts, on an annual basis to determine that\n            users\xe2\x80\x99 access and privileges is conducted by management          access remains appropriate and commensurate\n            on a periodic basis to ensure system access remains              with job responsibilities in accordance with DHS\nFEMA-IT\xc2\xad    appropriate and commensurate with job responsibilities in        policy.\n  10-53     accordance with DHS guidance.\n                                                                         \xef\xbf\xbd   Document and implement policies and procedures\n            Additionally, we noted through inspection of the TRRP            over the creation of service accounts to ensure\n            access procedures that no process has been established to        that they are appropriately authorized and that a\n            formally document both the approval and business need            clear business need is established and\n            for service accounts.                                            documented justifying the creation and use of\n                                                                             these types of accounts in accordance with DHS\n                                                                             policy.\n            During the FY 2010 audit engagement, we determined that      Conduct and document a lessons learned report              X                 3\n            weaknesses existed in the implementation of DHS SELC         related to the IFMIS-Merger project per DHS SELC\n            requirements over the IFMIS-Merger Project. Specifically,    guidance. By conducting such an activity, FEMA\nFEMA-IT\xc2\xad    throughout the lifecycle of the project, FEMA                management will be able to maintain a record of\n  10-54     management did not adequately define and implement           lessons learned in order to increase the probability of\n            required elements of the DHS SELC process, including:        success for future acquisitions through the\n                                                                         improvement of processes, tools, and other project\n            \xef\xbf\xbd   A detailed and comprehensive Project Tailoring Plan      related entities.\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 64 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                               Recommendation\n                                                                                                                                   Issue    Issue   Rating\n               to define required stages, activities, artifacts and exit\n               criteria for the project per DHS SELC guidance was          Additionally, we determined that the root cause\n               not developed and approved by FEMA management.              associated with the weaknesses noted over the SELC\n                                                                           process is related to the entity level control issue\n           \xef\xbf\xbd   Approvals for project critical documentation                identified in FEMA-IT-10-47, FEMA Management\n               demonstrating that all required stakeholders reviewed       Needs to Improve Planning, Management, and\n               and approved the results before advancing to                Communication Related to Financial Systems\n               subsequent SELC stages could not be provided.               Development and Acquisition Projects. While the\n           \xef\xbf\xbd   FEMA could not provide a Data Migration Plan and            IFMIS-Merger project has been completed, corrective\n               Test Strategy to demonstrate that critical DHS SELC         action over the establishment of a process to provide\n               requirements were documented and approved prior to          oversight to the implementation of the SELC\n               implementation of the data migration.                       methodology must be completed. Please see NFR\n                                                                           FEMA-IT-10-47 for recommendations related to the\n           \xef\xbf\xbd   System security requirements and milestones were not        establishment of this process.\n               documented and integrated into key project\n               documentation, such as Business Requirements\n               documents, project schedules, Project Management\n               Plans, and Risk Management Plans.\n           \xef\xbf\xbd   Project documentation including the Project\n               Management Plan, the Risk Management Plan, and\n               Business Requirements documents were not updated\n               and revised throughout the project duration as required\n               by the DHS SELC.\n           \xef\xbf\xbd   Key information such as roles and responsibilities of\n               all stakeholders, guidelines for developing business\n               requirements documentation, requirements for stage\n               reviews, and key exit criteria before moving to the\n               next stage of the project were not integrated into the\n               project schedule, Project Plan, and Communications\n               Plan.\n           \xef\xbf\xbd   FEMA management did not provide adequate\n\n          Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                             Page 65 \n \n\n\x0c                                                                                                                                               Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                  New     Repeat    Risk\nNFR No.                           Condition                                             Recommendation\n                                                                                                                                  Issue    Issue   Rating\n                oversight of the contractors implementing the IFMIS-\n                Merger Project. Specifically, documented evidence\n                supporting the approval, validation, and retention of\n                required artifacts associated with the data migration\n                and other key project management documents could\n                not be provided by FEMA or were insufficient based\n                on DHS requirements.\n\n            During our FY 2010 audit test work, we noted the            \xef\xbf\xbd   Complete the revision, documentation, and full         X                 2\n            following weaknesses related to the management and              implementation of access control policies and the\n            monitoring of user accounts and activity on the NFIP LAN        NFIP LAN system account management\n            supporting Traverse:                                            procedures to align with DHS requirements such\n                                                                            as recertification of accounts and audit log\n            \xef\xbf\xbd   NFIP has not established or implemented a formal\n                                                                            reviews. Specifically, ensure that they include a\n                process to periodically recertify all accounts with\n                                                                            formalized process for the recertification of all\n                access to the NFIP LAN supporting Traverse, as\n                                                                            accounts on the NFIP LAN, including service\n                required by DHS and FEMA policy. Specifically, six\n                                                                            accounts, on an annual basis to determine if\n                system and/or service accounts on the FEMA LAN\n                                                                            access remains appropriate and commensurate\n                remained active absent an acceptable documented\n                                                                            with job responsibilities in accordance with DHS\n                business need and justification. We were informed by\nFEMA-IT\xc2\xad                                                                    policy.\n                NFIP management that these accounts were no longer\n  10-55         needed, and they were removed from the system           \xef\xbf\xbd   Document and implement policies and procedures\n                during test work.                                           over the creation of service accounts to ensure\n                                                                            that they are appropriately authorized and that a\n            \xef\xbf\xbd   Audit logs generated and reviewed on the NFIP LAN\n                                                                            clear business need is established and\n                do not include changes to user account privileges as\n                                                                            documented justifying the creation and use of\n                required by DHS and FEMA policy.\n                                                                            these types of accounts in accordance with DHS\n            \xef\xbf\xbd   Audit logs for the NFIP LAN are not retained for at         policy.\n                least 90 days, in accordance with DHS policy.\n                                                                        \xef\xbf\xbd   Configure the NFIP LAN audit logs to include\n                                                                            changes to user account privileges and ensure that\n                                                                            storage capacity settings of audit logs are\n                                                                            configured to retain the logs for 90 days online as\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 66 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                           Condition                                              Recommendation\n                                                                                                                                   Issue    Issue   Rating\n                                                                            required by DHS and FEMA policy.\n            During our FY 2010 audit engagement, we noted the           \xef\xbf\xbd   Develop and implement TRRP audit logging                X                 2\n            following weaknesses related to the monitoring of user          policies and procedures that include requirements\n            accounts and activity on the TRRP mainframe:                    for audit log configurations and the review of logs\n                                                                            by IT security management independent of the\n            \xef\xbf\xbd   Segregation of duties is not properly implemented\n                                                                            system administration team in accordance with\n                over the review and maintenance of TRRP audit logs.\nFEMA-IT\xc2\xad                                                                    DHS policy.\n                Specifically, the TRRP system administrator is\n  10-56         responsible for reviewing TRRP audit logs, and a        \xef\xbf\xbd   Configure the TRRP audit logs to include changes\n                second independent reviewer is not required.                to user account privileges as required by DHS and\n                                                                            FEMA policy.\n            \xef\xbf\xbd   Audit logs generated and reviewed on the TRRP\n                mainframe do not include changes to user account\n                privileges as required by DHS and FEMA policy.\n            During our FY 2010 audit test work, we noted that NFIP      \xef\xbf\xbd   Develop, document, and fully implement policies         X                 2\n            has not established or implemented a formal process to          and procedures over documenting, reviewing, and\n            authorize or periodically review remote access to the LAN       approving remote access to the NFIP LAN\n            hosting the TRRP mainframe environment in accordance            hosting the TRRP mainframe environment in\n            with DHS and NIST guidance.                                     accordance with FEMA and DHS requirements.\nFEMA-IT\xc2\xad\n  10-57                                                                 \xef\xbf\xbd   Develop, document, and fully implement policies\n                                                                            and procedures to perform a periodic\n                                                                            recertification of all remote user access and retain\n                                                                            auditable records as evidence that recertifications\n                                                                            are conducted and completed in accordance with\n                                                                            DHS and FEMA policy.\n            While improvements were noted over the documentation        \xef\xbf\xbd   Ensure the NFIP contractor continues to dedicate                 X        2\n            of Traverse change management procedures during the FY          resources to establish and implement documented\nFEMA-IT\xc2\xad    2010 audit test work, we determined that certain                policies and procedures over the Traverse change\n  10-58     weaknesses identified in FY 2009 continue to exist over         management process for non-emergency and\n            the Traverse configuration management process in                emergency changes which are in line with DHS\n            comprehensively addressing FEMA and DHS change                  configuration      management       requirements.\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 67 \n \n\n\x0c                                                                                                                                                Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                           Condition                                              Recommendation\n                                                                                                                                   Issue    Issue   Rating\n           management policy. For example, we determined that:               Particular emphasis must be placed on approval\n                                                                             by the NFIP CCB and/or TRC, initial change\n           \xef\xbf\xbd   Established procedures do not include guidance for            approvals, testing and testing requirements, final\n               initial approvals as we were informed that Traverse           approvals, and retention of required change\n               currently does not fall under review of the NFIP              management artifacts to track all changes\n               Change Control Board (CCB).                                   throughout their lifecycle. These phases should\n           \xef\xbf\xbd   Requirements for managing the change management               also include an integrated process to address\n               program have not been adequately established and              system change requirements and stakeholder\n               implemented to ensure that NFIP CCB and/or                    change requirements to ensure adequate testing\n               Technical Review Committee (TRC) approvals are                and approvals are completed by the appropriate\n               granted prior to implementing changes into the                parties.\n               Traverse production environment, as required by           \xef\xbf\xbd   Establish and implement a formal process to\n               FEMA and DHS policy.                                          conduct user acceptance testing in a test\n           \xef\xbf\xbd   Adequate oversight and involvement from FEMA                  environment prior to implementation in\n               management is not integrated into the configuration           production.\n               management requirements. Specifically, FEMA is not        \xef\xbf\xbd   Allocate qualified NFIP management and OCIO\n               involved in testing and/or reviewing testing and              IT security resources to provide adequate\n               approving    changes     to    Traverse     prior    to       oversight for the configuration management\n               implementation.                                               process. Oversight activities should encompass\n           \xef\xbf\xbd   Traverse changes are not required to be tested prior to       requirements such as a NFIP Program\n               implementing the change into production as no testing         Configuration Management Board responsible for\n               environment exists.                                           managing and participating in the NFIP CCB\n                                                                             and/or TRC to ensure that all required elements in\n           \xef\xbf\xbd   Limited testing requirements exist to guide personnel\n                                                                             the configuration management process are\n               in the development of test plans and guidance over the\n                                                                             formally defined and implemented in accordance\n               testing that should be performed and documented.\n                                                                             with DHS and FEMA guidance.\n               Additionally, roles and responsibilities over test plan\n               procedures to ensure that plans are sufficient,           \xef\xbf\xbd   Dedicate the resources to fully review and finalize\n               document expected outcomes, and are reviewed and              approval of all NFIP contractor\xe2\x80\x99s configuration\n               approved prior to development, are not documented.            management policies and procedures to ensure\n                                                                             the revised procedures are compliant with DHS\n           \xef\xbf\xbd   Requirements for Traverse emergency changes have\n                                                                             requirements.\n               not been formally defined.\n          Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                             Page 68 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                             Recommendation\n                                                                                                                                   Issue    Issue   Rating\n            While improvements were noted over the documentation         \xef\xbf\xbd   Ensure the NFIP contractor continues to dedicate                X        2\n            of TRRP change management procedures during the FY               resources to establish and implement documented\n            2010 audit test work, we determined that certain                 policies and procedures over the TRRP change\n            weaknesses identified in FY 2009 continue to exist over          management process for non-emergency and\n            the TRRP configuration management process in                     emergency changes which are in line with DHS\n            comprehensively addressing FEMA and DHS change                   configuration      management        requirements.\n            management policy. For example, we determined that:              Particular emphasis must be placed on initial\n                                                                             change     approvals,     testing   and     testing\n            \xef\xbf\xbd   Requirements for managing the change management\n                                                                             requirements, final approvals, and retention of\n                program have not been adequately established and\n                                                                             required change management artifacts to track all\n                implemented to ensure that CCB and/or TRC\n                                                                             changes throughout their lifecycle. These phases\n                approvals are granted prior to implementing changes\n                                                                             should also include an integrated process to\n                into the TRRP production environment, as required by\n                                                                             address system change requirements and\n                FEMA and DHS policy. Specifically:\n                                                                             stakeholder change requirements to ensure\n                \xef\xbf\xbd   While a CCB has been established by NFIP                 adequate testing and approvals are completed by\n                    management, adequate oversight and involvement           the appropriate parties.\nFEMA-IT\xc2\xad\n  10-59             from FEMA management has not been integrated\n                                                                         \xef\xbf\xbd   Allocate qualified NFIP management and OCIO\n                    into the configuration management requirements\n                                                                             IT security resources to provide adequate\n                    including mandatory FEMA participation in the\n                                                                             oversight for the configuration management\n                    CCB and CCB approval of changes after testing\n                                                                             process. Oversight activities should encompass\n                    has occurred.\n                                                                             requirements such as a NFIP Program\n                \xef\xbf\xbd   FEMA management, including IT security and               Configuration Management Board responsible for\n                    financial personnel, are not involved in testing         managing and participating in the NFIP CCB\n                    and/or reviewing testing and approving changes to        and/or TRC to ensure that all required elements in\n                    TRRP prior to implementation.                            the configuration management process are\n                                                                             formally defined and implemented in accordance\n                \xef\xbf\xbd   CCB reviews are not conducted for approval of            with DHS and FEMA guidance.\n                    final changes prior to implementation into\n                    production as required by FEMA and DHS               \xef\xbf\xbd   Dedicate the resources to fully review and finalize\n                    guidance.                                                approval of all NFIP contractor\xe2\x80\x99s configuration\n                                                                             management policies and procedures to ensure the\n            \xef\xbf\xbd   Limited testing requirements exist to guide personnel        revised procedures are compliant with DHS\n                in the development of test plans and guidance over the       requirements.\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 69 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                          Department of Homeland Security\n \n\n                                                      Federal Emergency Management Agency \n\n                                                      Information Technology Management Letter \n\n                                                                 September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                               Recommendation\n                                                                                                                                   Issue    Issue   Rating\n                testing, including user acceptance testing, that should\n                be performed and documented prior to approval and\n                implementation into production. Additionally, roles\n                and responsibilities over test plan procedures to ensure\n                that plans are sufficient, document expected outcomes,\n                and are reviewed and approved prior to development,\n                are not documented.\n            \xef\xbf\xbd   Requirements for TRRP emergency changes have not\n                been formally defined in writing.\n\n\n            Furthermore, we performed testwork over initial and final\n            approvals for a selection of 25 TRRP changes made in FY\n            2010 and noted the following exceptions:\n            \xef\xbf\xbd   Documentation for 3 of the 25 changes could not be\n                provided\n            \xef\xbf\xbd   17 of 22 changes tested did not have initial approvals\n                documented prior to developing the change\n            \xef\xbf\xbd   9 of 22 changes tested changes did not have all the\n                required approvals prior to implementation\n            \xef\xbf\xbd   1 of 22 changes tested was implemented prior to\n                change documentation being completed\n            Weaknesses identified in FY 2009 related to controls to        \xef\xbf\xbd   In accordance with policy, enforce requirements               X        2\n            restrict access and control movement of Traverse program           over individual user accounts by not allowing\n            libraries and data continue to exist in FY 2010.                   vendors to a use a system administrator\xe2\x80\x99s account\nFEMA-IT\xc2\xad    Specifically:\n  10-60                                                                        to access the system and deploy changes into\n                                                                               production.\n            \xef\xbf\xbd   Implementation procedures over Traverse changes\n                have not been established, and current processes do        \xef\xbf\xbd   Document and implement policies and procedures\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 70 \n \n\n\x0c                                                                                                                                               Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                 New     Repeat    Risk\nNFR No.                            Condition                                             Recommendation\n                                                                                                                                 Issue    Issue   Rating\n                not incorporate segregation of duties requirements.          to limit Traverse developer and application\n                Specifically, NFIP IT contractors use their                  support vendor access to the NFIP production\n                individually assigned system administrator accounts to       environment to \xe2\x80\x9cread only\xe2\x80\x9d through an assigned\n                logon and create sessions to allow a third-party             user account and segregate the responsibility for\n                development vendor to install Traverse system                deploying application code changes into\n                changes.                                                     production from the development/support vendor\n                                                                             to an independent control group. Additionally,\n            \xef\xbf\xbd   NFIP does not have a formal process for monitoring           procedures should include implementation\n                changes that the vendor makes in Traverse while              process requirements for controlling access to\n                logged in as an administrator.                               production directories. If business needs require\n                                                                             that the segregation of duties cannot be\n                                                                             immediately implemented, FEMA should\n                                                                             document and implement policies and procedures\n                                                                             to mitigate the risk associated with the\n                                                                             segregation of duties weakness noted in\n                                                                             accordance with DHS guidance, including a\n                                                                             formalized process for performing and\n                                                                             documenting reviews of activity performed by\n                                                                             third-party vendors within the Traverse\n                                                                             environment.\n            As noted during the FY 2009 audit engagement,                \xef\xbf\xbd   Develop, document, and fully implement an IT                  X        2\n            weaknesses over contingency planning for both the                Contingency Plan for NFIP components,\n            Traverse and TRRP systems continue to exist in FY 2010.          including TRRP and Traverse. Additionally,\n            Specifically:                                                    ensure that contingency planning documentation\n                                                                             includes detailed instructions for restoring\n            \xef\xbf\xbd   While the NFIP/LSS Contingency Plan, which\nFEMA-IT\xc2\xad                                                                     operating system software and critical\n                pertains to the contingency planning around Traverse\n  10-61                                                                      applications in the event of a disaster,\n                and the NFIP LAN, has been updated for FY 2010, the\n                                                                             contingency, or disruption of service in\n                following elements are not in compliance with DHS\n                                                                             accordance with DHS and NIST policy\n                and NIST requirements:\n                                                                             requirements for systems categorized at the high\n                \xef\xbf\xbd   The NFIP/LSS IT Contingency Plan does not                impact availability objective.\n                    document detailed instructions for restoring\n                                                                         \xef\xbf\xbd   Conduct and document annual tests of the TRRP\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 71 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                                   New     Repeat    Risk\nNFR No.                            Condition                                              Recommendation\n                                                                                                                                   Issue    Issue   Rating\n                    operating systems and critical applications in the        and Traverse IT Contingency Plan(s) that address\n                    event of a disaster, contingency, or disruption of        all critical phases of the plan(s), and update\n                    service.                                                  contingency planning documentation with lessons\n                                                                              learned, as necessary and in accordance with DHS\n                \xef\xbf\xbd   The NFIP/LSS IT Contingency Plan does not                 and NIST requirements.\n                    designate the current alternate processing facility\n                    for the operating environment.                        \xef\xbf\xbd   Dedicate resources to establish and implement an\n                                                                              alternate processing site for the NFIP systems in\n                \xef\xbf\xbd   Testing of the NFIP/LSS IT Contingency Plan has           accordance with DHS policy requirements.\n                    not been performed in the 12 months, as required\n                    by DHS policy.                                        \xef\xbf\xbd   Until an alternate processing site is established,\n                                                                              develop and submit an exception for approval in\n            \xef\xbf\xbd   FEMA and NFIP management have not documented                  accordance with DHS policy, and ensure that\n                or approved a current IT Contingency Plan for the             compensating controls over the lack of an\n                mainframe environment supporting the TRRP system              alternate processing site have been implemented\n                in accordance with FEMA and DHS requirements.                 and are effective, and documentation of their\n            \xef\xbf\xbd   Contingency testing over TRRP was not sufficiently            effectiveness is maintained as auditable records.\n                conducted in accordance with DHS and NIST                 \xef\xbf\xbd   Document, implement, and maintain the NFIP\n                requirements. While a limited disaster recovery test of       COOP to ensure required elements for Traverse\n                the NFIP mainframe environment, including TRRP,               and TRRP are included in accordance with DHS\n                was performed in October 2009 to test restoration of          guidance for high impact systems.\n                data, all elements required to be tested under the DHS\n                requirements for an IT Contingency Plan were not\n                sufficiently addressed and could not be used to\n                validate the effectiveness of the organization\xe2\x80\x99s\n                contingency planning controls.\n            \xef\xbf\xbd   The NFIP contractor\xe2\x80\x99s COOP for Traverse and TRRP\n                could not be provided for auditor review.\n                                                                          \xef\xbf\xbd   Document and establish a centralized and                       X        3\n            Conditions noted in FY 2009 related to weaknesses over\nFEMA-IT\xc2\xad    the NEMIS configuration management process continue to            integrated change management process over\n  10-62     exist in FY 2010. Based on our testwork, we concluded             NEMIS to ensure that adequate controls are\n            that NEMIS configuration management is not adequately             implemented throughout the lifecycle of the\n\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 72 \n \n\n\x0c                                                                                                                                                 Appendix B\n                                                        Department of Homeland Security\n \n\n                                                    Federal Emergency Management Agency \n\n                                                    Information Technology Management Letter \n\n                                                               September 30, 2010\n\n                                                                                                                                    New     Repeat    Risk\nNFR No.                            Condition                                              Recommendation\n                                                                                                                                    Issue    Issue   Rating\n            and centrally controlled, documented, or managed                 configuration management process, in accordance\n            throughout the lifecycle of the FEMA configuration               with DHS and FEMA policy.\n            management process. Specifically, we identified the\n            following weaknesses:                                        \xef\xbf\xbd   Formally      designate     FEMA       management\n                                                                             responsibilities for oversight and implementation\n            \xef\xbf\xbd   NEMIS configuration management policy and                    of controls for initiating, monitoring, testing, and\n                procedures which outline FEMA\xe2\x80\x99s responsibilities and         approving all NEMIS non-emergency and\n                processes for initiating, monitoring, testing, and           emergency changes;\n                approving NEMIS non-emergency and emergency\n                changes that are developed under the various             \xef\xbf\xbd   Establish a centralized, formal process to monitor,\n                development contracts have not been documented and           document, and track NEMIS software changes\n                approved by FEMA management, in accordance with              throughout the configuration management\n                DHS and FEMA policy.                                         lifecycle, from initial approval through\n                                                                             implementation into the production environment.\n            \xef\xbf\xbd   FEMA does not have a centralized program\n                management function or process to monitor and track\n                NEMIS SCRs throughout the configuration\n                management lifecycle, from initial approval through\n                implementation into the production environment.\n            During the FY 2010 audit engagement, we noted                \xef\xbf\xbd   Revise, document and fully implement a                  X                 2\n            weaknesses over the IFMIS-Merger Configuration                   comprehensive     configuration   management\n            Management Plan (CMP). Based on our testwork, we                 program that includes a Configuration\n            concluded that the IFMIS configuration management                Management Plan for IFMIS-Merger, which\n            process does not meet comprehensive change management            aligns with all applicable DHS and FEMA\n            process requirements and procedures as required by DHS           requirements and reflects the current IFMIS-\nFEMA-IT\xc2\xad    and NIST guidance because it is not adequately                   Merger operating environment and all applicable\n  10-63     documented. For example, we identified the following             IT components.\n            weaknesses:\n                                                                         \xef\xbf\xbd   Include in policies and procedures (a) clearly\n            \xef\xbf\xbd   The IFMIS CMP provided in July 2010 is in draft and          defined and formalized responsibilities for change\n                has not been updated to reflect the new IFMIS-Merger         management oversight bodies including a\n                operating environment. Specifically, the plan includes       Configuration/Change Control Board and (b)\n                Core IFMIS and G&T IFMIS, but does not address the           sufficiently   detailed    responsibilities    and\n                IFMIS-Merger instance that began operations in\n           Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                              Page 73 \n \n\n\x0c                                                                                                                                          Appendix B\n                                                         Department of Homeland Security\n \n\n                                                     Federal Emergency Management Agency \n\n                                                     Information Technology Management Letter \n\n                                                                September 30, 2010\n\n                                                                                                                             New     Repeat    Risk\nNFR No.                            Condition                                          Recommendation\n                                                                                                                             Issue    Issue   Rating\n               February 2010.                                              requirements for security impact analyses, test\n                                                                           plan development, and approval for non-\n           \xef\xbf\xbd   Infrastructure information     for    the in-scope          emergency and emergency change procedures.\n               applications does not include the server information\n               for G&T IFMIS, which was operational when the plan\n               was last revised in November 2009.\n           \xef\xbf\xbd   The CCB has not been formally and fully integrated\n               into the FEMA change management process. While\n               we were informed that a CCB for IFMIS was\n               established on March 22, 2010, we determined that the\n               requirements over the roles and responsibilities as well\n               as the membership of the CCB were not clearly\n               defined, implemented, and documented to ensure that\n               DHS requirements are met.\n           \xef\xbf\xbd   Membership of the \xe2\x80\x9cSCR Review Team\xe2\x80\x9d responsible\n               for initial approval for development of any changes to\n               the application is not formally defined.\n           \xef\xbf\xbd   Requirements that security impact analyses be\n               performed prior to implementation of changes have\n               not been documented.\n           \xef\xbf\xbd   Limited testing requirements exist to guide FEMA\n               personnel in the development of test plans and\n               guidance over the testing that should be performed\n               and documented.             Additionally, roles and\n               responsibilities over test plan procedures to ensure that\n               plans are sufficient, document expected outcomes, and\n               are reviewed and approved prior to development, are\n               not documented.\n           \xef\xbf\xbd   Requirements over emergency changes have not been\n               defined in writing.\n\n          Information Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial Statement Audit \n \n\n                                                             Page 74 \n \n\n\x0c                                                                                 Appendix C\n                             Department of Homeland Security\n \n\n                         Federal Emergency Management Agency \n \n\n                         Information Technology Management Letter \n \n\n                                    September 30, 2010\n\n\n\n\n                                      APPENDIX C\n Status of Prior Year Notices of Findings and Recommendations and \n \n\n                           Comparison to \n \n\n    Current Year Notices of Findings and Recommendations at the \n \n\n             Federal Emergency Management Agency \n \n\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial \n\n                                      Statement Audit\n \n\n                                           Page 75 \n \n\n\x0c                                                                                              Appendix C\n                                Department of Homeland Security\n                            Federal Emergency Management Agency\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\n                                                                                         Disposition\n   NFR No.                                Description                              Closed        Repeat\n\n                Configuration Management Weaknesses on IFMIS, NEMIS, and Key\nFEMA-IT-09-02\n                Support Servers (vulnerability assessment finding)                           FEMA-IT-10-41\nFEMA-IT-09-03   Weaknesses Exist over Recertification of Access to IFMIS                     FEMA-IT-10-14\n                Documentation Supporting the IFMIS User Functions Does Not\nFEMA-IT-09-06\n                Exist                                                                        FEMA-IT-10-49\nFEMA-IT-09-12   NEMIS Access Controls Need Improvement                                       FEMA-IT-10-01\n                Employee Termination Process for Removing System Access Should\nFEMA-IT-09-13\n                be More Proactive                                                            FEMA-IT-10-21\n                System Programmers Have the Ability to Migrate Code into the\nFEMA-IT-09-17\n                IFMIS Production Environment                                                 FEMA-IT-10-39\nFEMA-IT-09-19   Monitoring of NEMIS System Software Needs Improvement                        FEMA-IT-10-04\nFEMA-IT-09-22   Alternate Processing Site for NEMIS Has Not Been Established                 FEMA-IT-10-02\nFEMA-IT-09-24   NEMIS Backups are Not Tested in Accordance with Policy                       FEMA-IT-10-36\nFEMA-IT-09-25   The NEMIS Contingency Plan is Not Tested                                     FEMA-IT-10-20\n                NEMIS Configuration Management Process for Non-Emergency\nFEMA-IT-09-28\n                Changes Needs Improvement                                                    FEMA-IT-10-62\nFEMA-IT-09-29   NEMIS Emergency Change Process Needs Improvement                             FEMA-IT-10-62\nFEMA-IT-09-38   Segregation of Duties Not Enforced for Traverse                      X\n                Traverse Contingency Plan Not Tested and NFIP Disaster Recovery\nFEMA-IT-09-39                                                                                FEMA-IT-10-61\n                and COOP Needs Improvement\n                IFMIS User Access is not Managed in Accordance with Account\nFEMA-IT-09-45\n                Management Procedures                                                        FEMA-IT-10-26\n                IFMIS System Interconnections Agreements Have Not Been\nFEMA-IT-09-46                                                                        X\n                Reauthorized\n                Corrective Action over NEMIS Vulnerabilities is Not Formally\nFEMA-IT-09-48\n                Documented                                                                   FEMA-IT-10-33\n                Weaknesses Exist over IFMIS Application and Database Audit\nFEMA-IT-09-50\n                Logging                                                                      FEMA-IT-10-11\nFEMA-IT-09-51   NEMIS Oracle Audit Logging is Not Tracked                                    FEMA-IT-10-09\n                Existing NEMIS Patch Management Guidance Needs to be\nFEMA-IT-09-52\n                Implemented                                                                  FEMA-IT-10-35\n                The NEMIS SSP Had Not Been Fully Updated in Accordance with\nFEMA-IT-09-53\n                DHS Policy                                                                   FEMA-IT-10-18\nFEMA-IT-09-54   Traverse Application Management Needs Improvement                            FEMA-IT-10-58\n                G&T IFMIS Oracle Database Security Controls are Not Configured\nFEMA-IT-09-56\n                Properly                                                                     FEMA-IT-10-27\nFEMA-IT-09-57   G&T IFMIS Oracle Database Auditing is Not Sufficient                         FEMA-IT-10-13\n                Recertification of G&T IFMIS Application and Database Access has\nFEMA-IT-09-58\n                Not Been Performed                                                           FEMA-IT-10-15\n                System Programmers Have the Ability to Migrate Code into the\nFEMA-IT-09-59                                                                                FEMA-IT-10-40\n                G&T IFMIS Production Environment\nFEMA-IT-09-60   NFIP Legacy System C&A is Expired                                            FEMA-IT-10-24\nFEMA-IT-09-61   G&T IFMIS Certification & Accreditation has Not Been Performed               FEMA-IT-10-16\nFEMA-IT-09-62   VPN Remote Access is Not Appropriately Authorized or Monitored               FEMA-IT-10-25\nFEMA-IT-09-63   External Connections to the FEMA VPN are Not Appropriately\n                                                                                             FEMA-IT-10-50\n                Authorized or Documented\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial \n \n\n                                      Statement Audit\n \n\n                                           Page 76 \n \n\n\x0c                                                                                              Appendix C\n                                 Department of Homeland Security\n                             Federal Emergency Management Agency\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n                                                                                         Disposition\n   NFR No.                                Description                              Closed        Repeat\n\nFEMA-IT-09-64 Core IFMIS Oracle Database is Not Configured to Prevent the Reuse\n              of Passwords                                                                   FEMA-IT-10-07\nFEMA-IT-09-65 G&T IFMIS Access Authorizations are Not Consistently\n              Documented                                                                     FEMA-IT-10-12\nFEMA-IT-09-66 NEMIS Oracle Database is Not Configured to Enforce DHS\n              Password Requirements                                                          FEMA-IT-10-06\nFEMA-IT-09-67 End-User Workstation Screensaver Configuration is Not Sufficient               FEMA-IT-10-03\nFEMA-IT-09-68 PARS Has Not Been Certified and Accredited                                     FEMA-IT-10-29\nFEMA-IT-09-69 Transaction Recording and Reporting Processing TRRP\n                                                                                             FEMA-IT-10-59\n              Configuration Management Plan Weaknesses\nFEMA-IT-09-70 Traverse and the NFIP LAN Configuration Patch Management\n                                                                                             FEMA-IT-10-23\n              Weaknesses\nFEMA-IT-09-71 Physical Security and Security Awareness Issues Were Identified\n                                                                                             FEMA-IT-10-38\n              During Enhanced Security Testing\nFEMA-IT-09-72 Exception Request over IFMIS Audit Logging is Inconsistent with\n                                                                                     X\n              Existing Controls\nFEMA-IT-09-73 Core and G&T IFMIS System Software Administrator Activity is\n                                                                                             FEMA-IT-10-44\n              Not Appropriately Monitored\nFEMA-IT-09-74 The FEMA Systems Inventory is Incomplete                               X\nFEMA-IT-09-75 Requirements for Recertification of Access to the NFIP Data Center     X\nFEMA-IT-09-76 Emergency and Temporary Access to the Core IFMIS Database is\n              Not Properly Authorized and Conflicts with Segregation of Duties               FEMA-IT-10-30\n              Principles\nFEMA-IT-09-77 FEMA and NFIP Planning, Management and Communication\n                                                                                               FEMA-IT-\n              Related to Financial Systems Development and Acquisition Projects\n                                                                                             FEMA-IT-10-47\n              Needs to be Improved\nFEMA-IT-09-78 Weaknesses Exist in the NEMIS Configuration Management Process\n              under the Enterprise Applications Development Integration and                  FEMA-IT-10-62\n              Sustainment (EADIS) contract\nFEMA-IT-09-79 Weaknesses Exist over Management of FEMA LAN Accounts                          FEMA-IT-10-22\nFEMA-IT-09-80 Vulnerability Assessments of the NFIP LAN is Inadequate                        FEMA-IT-10-52\nFEMA-IT-09-81 Improvements are Needed in Core and G&T IFMIS Internal\n                                                                                             FEMA-IT-10-34\n              Scanning Procedures and Processes\nFEMA-IT-09-82 Core and G&T IFMIS Patch Management Weaknesses                                 FEMA-IT-10-32\nFEMA-IT-09-83 EADIS NEMIS Access Restrictions to Program Directories Needs\n                                                                                             FEMA-IT-10-51\n              Improvement\nFEMA-IT-09-84 PARS Database Security Controls are Not Appropriately Established              FEMA-IT-10-05\nFEMA-IT-09-85 TRRP Password Configurations Have Not Been Configured in\n                                                                                     X\n              Accordance with DHS Policy\nFEMA-IT-09-86 Weaknesses Exist over the Implementation of Traverse System\n                                                                                             FEMA-IT-10-60\n              Changes\nFEMA-IT-09-87 Weaknesses Exist in FEMA\xe2\x80\x99s Incident Response Program                          FEMA-IT-10-31\nFEMA-IT-09-88 Weaknesses Exist over Access Authorizations for TRRP                          FEMA-IT-10-53\nFEMA-IT-09-89 Weaknesses Exist over FEMA Background Investigations for\n                                                                                             FEMA-IT-10-45\n              Federal Employees and Contractors\nFEMA-IT-09-90 FEMA LAN Certification and Accreditation Package is not Adequate               FEMA-IT-10-28\nFEMA-IT-09-91 FEMA Contractor Tracking Program is Inadequate                                 FEMA-IT-10-10\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial \n \n\n                                      Statement Audit\n \n\n                                           Page 77 \n \n\n\x0c                                                                                                                 Appendix D\n                                         Departmen\n                                         Departmentt of Ho\n                                                        Homela\n                                                          meland\n                                                               nd Security \n\n                                     Federal Emergency Management Agency \n\n                                     Information Technology Management Letter \n\n                                                September\n                                                September 30, 2010\n\n                                                                                     .5. Dcp.rlme," of Homchlnd SCoCurilJ\n                                                                                   Washin~1{on,D.C. _0472\n\n\n\n\n                                                                                  FEMA\n                                             FEB 2 8 2011\n\n\n    MEMORA DUM POR:                   rank DeHer\n                                     Assistant Inspector General\n                                     Infonn8tion Technology Audits\n\n    THROUGH:                         Brad Shef\'ka  p.:J~\n                                     Chief, FEMA     AOfOIG Liaison\n\n    FR.OM:                       ] can A. Etze     \'CZ1 [      a\n                                 Chief Inform a on Officer/Di rector\n                                 Office of the\' hief Information Officer\n\n    SUBJECT:                         Response to Draft Audit Report - Information Technology Management\n                                 Letterfor the Federal Emergency Management Agency Component ofthe\n                                 FY 2010 DHS Financial Statement Audil- For Official Use Only OIG\n                                 Project No: II-002-1TA-PEMA dated Pebruary 2011\n\n\n    The Federal Emergency Management Agency (F -MA) appreciates the Depaliment of Homeland Security\n    (DHS) Office of the Inspector eneral providing KPMG\'s evaluation of FEMA\'s information technology\n    (IT) general controls and their reconunendations for improving FEMA\' flllancial pofOcessing enviromnent\n    and related IT infrastructure. The evaluation has been vel"j helpful in identifying areas requiring\n    improvement and prioritizing work to implement their recommendations.\n\n    Generally F MA <:oncurs with the auditor\'s recommendations in the report referenced above. The Chief\n    Information Officer (el ) is resolute in directing these audit recommendations be effecti vely implemented in\n    a timely manner. Weekly, FEMA\'s Audit Remediation Team meets with the Action Officer to revlew the\n    status of implementing   ~hese   recommendations and address issues lhat are impeding progress. Bran.ch Chiefs\n    receive weekly reports reflecting the current status ofth ir organization\' assigned actions and. are working\n    diligently to correct findings and implement recommendation " Implementation of corrective actions is a\n    perfonnance goal for each Bl:"311Ch Chief in th.e Office of the Chief lnfolTI1atioll Officer.\n\n    III addition to the detailed Plan of Action and Milestones (POA&M) for e,lch audit recommendatiQIl in the\n    DHS Trusted Agent FISMA (TAF) system, FEMA has developed detailed remediation work plans to ensure\n    root causes are addressed. Remediation. work plan starns is di cussed at weekly meeting with senior\n    management. If you have any questions regarding the status of the planned actions, we are available to meet\n    with your oflfice. FEMA\'s ellior leadership is committed to completing the remaining actions. included in\n    each of the POA&Ms at the earliest possible time.\n\n    If you have any question\', plea e bave your staffcontad Deborah Moradi, Chief, Govel"DanCe and Investment\n    lntegrailion Branch, at 202-646-3154.\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial \n\n                                      Statement Audit\n\n                                                  Audit \n\n                                           Page 78 \n \n\n\x0c                             Department of Homeland Security\n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter \n\n                                    September 30, 2010\n\n\n\n                    Report Distribution\n\n                    Department of Homeland Security\n\n                    Secretary\n                    Deputy Secretary\n                    General Counsel\n                    Chief of Staff\n                    Deputy Chief of Staff\n                    Executive Secretariat\n                    Under Secretary, Management\n                    Administrator, FEMA\n                    DHS Chief Information Officer\n                    DHS Chief Financial Officer\n                    Chief Financial Officer, FEMA\n                    Chief Information Officer, FEMA\n                    Chief Information Security Officer\n                    Assistant Secretary for Office of Policy\n                    Assistant Secretary for Office of Public Affairs\n                    Assistant Secretary for Office of Legislative Affairs\n                    DHS GAO OIG Audit Liaison\n                    Chief Information Officer, Audit Liaison\n                    FEMA Audit Liaison\n\n                    Office of Management and Budget\n\n                    Chief, Homeland Security Branch\n                    DHS OIG Budget Examiner\n\n                    Congress\n\n                    Congressional Oversight and Appropriations Committees, as\n                    appropriate\n\n\n\n\nInformation Technology Management Letter for the FEMA Component of the FY 2010 DHS Financial \n\n                                      Statement Audit\n \n\n                                           Page 79 \n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'